Do You Really Need Antivirus Software on Linux?

Does Linux Need Antivirus Featured2

There’s a myth that Linux doesn’t have viruses. but for most people, it’s true that they don’t need an antivirus on Linux. How can both those claims be true? Do you really need antivirus on your Linux machine?

Although there have been cases like EvilGnome, a piece of malware that made headlines last year for infecting Linux desktops, they are ultra-rare. The short answer is that thanks to being more securely designed, better maintained, and, truth be told, less popular, Linux ends up being safer than Windows.

There’s no simple yes or no answer to the question of our title, though, as it depends on the user and their needs.

The Official Stance

When checking Ubuntu’s official documentation, we arrive at this page. What this explains is:

  • A synopsis of how antivirus programs function on Windows and Mac OS.
  • A reminder that antivirus software exists for Linux.
  • An explanation of why you probably don’t need it. The reasons?
    • Viruses for Linux are still very rare.
    • Some state it’s because Linux is not as popular as an alternative.
    • Others suggest it’s because Linux is more secure.

The clue on why antivirus software can be useful on Linux comes at the very end. We extracted the interesting part.

Does Linux Need Antivirus Samba Sharing

“If you want to be extra-safe, or if to check for viruses in files you are sharing with people using Windows and Mac OS, you can still install antivirus software.”

The takeaway: even if you don’t feel the effects of an infection, your PC can be a carrier.

How viruses attack computers

To understand why Linux is deemed safe, we have to consider the most common types of malicious attacks that can target a computer.

  • Viruses and trojans propagate mostly through tainted executable files. In most cases, the user himself downloads and runs those files, infecting his system without realizing it. Usually the downloaded files are from ambiguous sources.
  • Worms can infect a machine without the user’s intervention by exploiting bugs in software and devices’ embedded firmware.
  • We can find web scripts on sites where malicious users managed to plant them among existing content. They can redirect the user to malicious web pages, send anything they enter in forms to a third party, and exploit security holes in the browser or its add-ons to infect a PC with an extra payload.

How do antivirus tools work?

Antivirus tools started as simple “file scanners” that scanned a PC’s storage to locate malicious files and remove them, then viruses got wiser and started renaming their files.

Does Linux Need Antivirus Microsoft Anti Virus (screenshot)

Antivirus tools caught on to that and started checking file fingerprints instead – basically hashes, comparing them to online databases of known malware. Viruses upped the ante by learning how to hide, obfuscate and mutate their files to avoid detection. And they could pop up and infect systems more quickly than an antivirus maker could detect them, update their database and send it to each antivirus client. That’s when Heuristics became a thing.

“Heuristics” define methods that instead of checking a file for signs that show it’s a virus, monitor its behavior. Is it trying to rapidly open, tweak and close dozens of files in succession? Is it trying to load differently named payloads in memory and keep them resident? Is it suspicious?

If yes, it’s quarantined, moved to a sandboxed vault and restricted from direct access to the rest of the files in the system, unable to run and affect RAM’s contents. At the same time, the antivirus creates signatures for it and compares them with an online database. If the file ends up malicious and there wasn’t a match on the online database, it gets registered there so other users can avoid it in the future before it infects their computers.

Why Linux is safe by design

The reason we explain how viruses and antiviruses work is that it makes it simpler to understand why Linux is considered safe.

Does Linux Need Antivirus User Authentication
  • Most people using Linux don’t use pirated programs and games that could come packaged with malicious software. They use their distribution’s official software center and maybe some trusted repositories on top.
  • Most people don’t log in to their Linux desktop with an account with root access. Thus, everything running under their account is subject to the same restrictions. This includes malicious software that, thanks to those restrictions, can’t infect other files or the OS itself. There’s no need for an antivirus vault here.
  • Almost all Linux distributions, the Linux kernel, and the most prominent software are updated regularly. With their code in the open, vulnerabilities are found and fixed more quickly than in the closed-source world of Windows and Mac OS.

The popularity factor

Linux (for desktop use) might not be the most popular OS on the desktop, but that’s not a negative. First, because the popularity of an OS is not a measure of its quality. Secondly, because that makes it safer.

The creators of malicious software usually do what they do for either fame or money. Fame in that perverse way where someone craves recognition, even as “that person who’s destroyed dozens of computers.” Money because their malicious software could provide them with stolen data they could then exploit or sell to third parties.

Thus, from their perspective, it’s better if they target the most popular platforms: why spend their time focusing on Linux, when Windows or Android would be easier to exploit and produce better results?

So, do I need an antivirus on Linux?

We’ll echo the sentiment that, in most cases, you don’t need an antivirus on Linux for regular daily use. But you need to be cautious to keep your computer safe and employ other measures of protection against current threats.

Does Linux Need Antivirus Chr Addons Extensions
  • Update all your software regularly.
  • Use safety add-ons/extensions in your browsers.
  • Don’t install or run “stuff” you don’t trust. Even if someone online vouches for them.

There are several antivirus software for Linux if you are truly concerned. Install an antivirus like Clam TK if you’re running a server in contact with other OSes. Even if your OS of choice is safer than Windows and Mac OS, you don’t want it becoming a “carrier” for an infection that could bring your contacts’ PCs down.

Image credit: Microsoft Anti-Virus

Odysseas Kourafalos Odysseas Kourafalos

OK's real life started at around 10, when he got his first computer - a Commodore 128. Since then, he's been melting keycaps by typing 24/7, trying to spread The Word Of Tech to anyone interested enough to listen. Or, rather, read.

11 comments

  1. The greatest weakness in Linux or any OS, is always the user. If you are security minded, you probably won’t have problems. If you will click on or download anything, you probably will have problems.

    “Hey look at this unsolicited email in my inbox. Amazon is going to send me a free $100 dollar coupon if I just click on this link!” or ” Gee look, FedEx is going to deliver me a package I never ordered, all I have to do is fill out all my personal information and verify my password. OKAY! I wonder what that wonderful package could be?”
    Now that will get you in trouble.

  2. The most important rule is “never install Debian packages or rpms (or install scripts) from unverified sources” because both of these contain scripts which will be executed as root, since only root can install debs or rpms.

    1. Why single out Debian? That statement should be “never install any package from unverified sources”, especially obscure ones.

  3. The article left out some very important reasons that Linux does not suffer the same malware problems as Windows. First, all downloads have the executable bit disabled by default. This means that malware that was downloaded will not run unless a user graphically or manually types chmod +x to the file. Newbies don’t know how to do this and admins are not so trusting, so this does not happen. If a virus can’t run, it also can not replicate.

    Linux users mostly use open source software. Want to see the source behind a LAMP server? It is right out there in the open for everyone to see. This also applies to repositories. Windows, Mac, and even Android (Java VM on top of Linux kernel) rely upon pre-compiled software which has been known to ship with malware and is patched far less often.

    This is not to say that Linux is not attacked. Services are treated like users so they do not have any special privileges. When an exploit is found for a service like Apache or SSH, another exploit is needed to escalate privileges to root in order to take over the entire machine. Very often, the attacker either does not get that far, or gets away with a copy of a database. Password cracking tools (John the Ripper) are used to break through password protected services once they are found with a scanner (Nmap). This is just not the territory of viruses.

    Claiming that the popularity of Linux (Security through Obscurity) is a factor is a fallacy. Linux is the most popular operating system in the world. It runs everything from cars, to Roku TVs, to cell phones, to banks, to stock exchanges. It is a very visible, high value target.

    With all of the installations, why do governments and schools still running Windows get their servers encrypted by Ryuk? How is it possible for a secretary to click on an e-mail and wipe the whole network? I have been keeping track, and have yet to find a single instance where ransomware has affected a Linux network. In fact, I have a student who brought 4 gigs of ransomware on a USB dongle to class. We fired up a VM of Windows, started one of the programs, and it encrypted and broke the rest of the malware on the dongle as well as locked up the VM. Damage to the computer running Linux or the Linux based network that it was on – zero.

    1. Allow me to disagree with some of your points. Or, rather, most of them. Sorry about that :-)

      * “Newbies” will also follow any instructions coming with something they downloaded without questioning them. “chmod +x” on a file A Trusted Online Friend sent is not much different from running a crack “to make a game run” (in Windows la-la-land).
      * I did mention how having the source open helps.
      * I did mention how Linux is by design safer for this exact reason (user rights and each part of it working as “a sandbox”).
      * For “the popularity thing” I offered a link to the official documentation that states the same thing – and did mention so in the article.
      * Because you’re talking different architectures. For Windows malware “to jump to Linux” it would have to be designed for that purpose. I haven’t heard of such a case (I’m sure there must be some examples), and regard it as more of “a Hollywood thing”, where a virus somehow, semi-magically, infects everything, from every single computer no-matter-its-OS to the nearby toaster.

  4. ClamAV is the actual anti-virus program, ClamTK is the graphic front end for it. Oh, and ClamAV does give me a few false positives…all of them seem to be the uninstall files of older Windows games that I have running with WINE.

  5. Good article, and it really does point out why you might want to run AV on Linux system.

    I’ve always wondered if you install an AV like Clam, will it just search for windows virus signatures on your Linux box?

    This is good if the Linux system is hosting a Samba share that other Windows systems are using, but really doesn’t benefit the Linux system itself.

    Don’t be a carrier and have good web hygiene is the bottom line here.

  6. Aside from those who are introduced to Linux through a more knowledgeable source? Most users of Linux won’t want to venture into the Terminal, and so a lot of the “chmod +x” argument goes away. Linux may be the more prevalent OS?….(because it runs almost everywhere!) but because of poor “advertising” the adoption of it has been less than stellar. As the article says, this isn’t a bad thing per se, it means the kernel while being “open” and exposed….is more secure for that very same reason. Its the “Million Eyes Philosophy” the more people who can take a peek under the hood? the more likely someone will “catch” when something doesn’t look right. This has kept the kernel a lot safer than it being locked behind closed doors with just the “word” of the developers that its safe and secure. (Yeah.,…we’ve seen time and time again how THAT goes now haven’t we?…from Windows to Apple!)
    As for installing and using an anti-virus? The more protection you can have in this day & age of cyber-criminals and all manner of hacks and data breaches the better. I have it installed on all of my Linux machines, even though I don’t download or access any files from others (I ain’t got friends like that!) I last ran ClamAV at the start of 2018, I might run it in a few months just to make sure it still works! LoL! I also have things like RKHunter & CHRootKit to make sure I try to cover as many bases as possible.
    And finally,. as long as you’re not clicking on every and anything that ends up in your mailbox, or your browser? and you THINK before you CLICK!?….you should be relatively safe. I installed Linux for my Mum and while she likes browsingf the web?…(especially for recipes) even SHE knows not to click on everything all willy-nilly, and with things like uBlock Origin, and AdBlock installed? It makes it easier for her to use her PC without pop-ups or ads showing up all over the place. I guess its just using common sense no?

Leave a Comment

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.