I know that Linux is more secure than Windows and normally doesn’t need an antivirus, but know myself I’m gonna end up downloading something at some point from somewhere on the internet, and it would be good to be prepared. So, which antivirus would you recommend for Linux (Mint specifically) just to double up on security?

  • Communist@lemmy.frozeninferno.xyz
    link
    fedilink
    English
    arrow-up
    0
    ·
    6 days ago

    Really if you use the centralized repos for installs there is as close to no risk as there could be, I wouldn’t even expend energy on this problem.

  • foremanguy@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    6 days ago

    No antivirus is needed if you know what you’re doing.

    If you don’t, don’t do it or document yourself on.

  • tiny@midwest.social
    link
    fedilink
    English
    arrow-up
    0
    ·
    6 days ago

    Clamav is ok to use for scanning files for malware. If you want something to detect behavior you can use Falco or tetragon to log events on your system. Those systems are best used if you send them to centralized log system but that’s complete overkill for personal use

  • balance8873@lemmy.myserv.one
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    6 days ago

    I think the security thing is very arguable at this point. Windows and macos are both extremely secure (from threats external to the companies that made them).

    Linux still has heavy reliance on running install scripts as root. Flatpak avoids that but has its own issues. Docker has its own suite of issues. Snap is just issues.

  • notarobot@lemmy.zip
    link
    fedilink
    arrow-up
    0
    ·
    7 days ago

    That is an old myth. There are less viruses for Linux because there are less users. But if you do things like install priated games, you have the same risk as on windows

    • TMP_NKcYUEoM7kXg4qYe@lemmy.world
      link
      fedilink
      arrow-up
      0
      ·
      6 days ago

      Brodie Robertson made a video about malware which pretends to be a pdf but is actually just an executable with a .pdf file extension. So if you double click it, you get pwnd. I think some desktop environments ask you for confirmation before running such thing but I would not count on it.

      So we even have an example of Linux specific malware.

      • KaninchenSpeed@lemmy.blahaj.zone
        link
        fedilink
        arrow-up
        0
        ·
        6 days ago

        It shouldn’t even be able to run it, because the x permission bit is missing. As far as I know binaries can’t include icons on linux, so it would look different too.

    • Krudler@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      7 days ago

      Thank you. I lived through the “Macs can’t get viruses” bullshit. Try being a teacher in a school with 200 Macs and find out how real that claim is. Yeeeeesh lol… two weeks after fresh imaging and new semester starting 50% of the machines would be completely b0rked

    • ☂️-@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      7 days ago

      not necessarily, you would still be running the virus under wine, which will probably not work as intended.

      • CrackedLinuxISO@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        0
        ·
        7 days ago

        Wine is not an emulator. It’s not sandboxed either. If you can do it as a user, a program running in wine can do it too.

        There’s nothing stopping a piece of malware from crawling your disk for sensitive information, or encrypting your files for ransom.

          • CrackedLinuxISO@lemmy.dbzer0.com
            link
            fedilink
            English
            arrow-up
            0
            ·
            edit-2
            6 days ago

            I wouldn’t think so. Isn’t bottles just an easier way to manage wine prefixes? If so, it doesn’t do anything to hide your Linux system from the executable.

            Wine prefixes are not sandboxes. They are a way to separate the windows-level configuration for different programs (eg env vars, or drivers, etc).

            Wine is a translation layer between a compiled windows binary and your Linux syscalls/libraries/device drivers/etc, nothing more.

      • TeddE@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        7 days ago

        Hard disagree - the point is a decade ago there wasn’t enough Linux market share for bad actors to target Linux. Proton is a compatibility layer, which while technically being a sandbox, it isn’t designed around security the way a browser sandbox is. It would not be hard for a virus embedded in a made-for-windows program to identify that it’s actually a proton sandbox, then deploy a Linux-specific payload (assuming the malware designer gave it some forethought for that situation). Heck - there’s plenty of viruses that do their work in scripting languages that don’t care what OS you’re running on.

  • Quazatron@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    7 days ago

    I just want to add that you that you can also setup multiple user accounts for different uses. One for banking, one for gaming, one for downloading random crap. It will not protect against privilege escalation attacks but will help against random scripts exfiltrating your personal documents.

    Another nice layer is containers and containerized applications (flatpaks, bubblewrap, etc). Each app will be somewhat limited in what damage it can do.

    Running pi-hole as your DNS or using some other filtered DNS provider (Mulvad or others) will also protect you from some shady sites.

    • rozodru@piefed.social
      link
      fedilink
      English
      arrow-up
      0
      ·
      6 days ago

      I mean if you’re going to go the multiple user accounts route for different things wouldn’t it just be easier to just use QubesOS? No account switching and granted it will be a bit slower but saves you the headaches.

  • Majestic@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    edit-2
    7 days ago

    I would say there are not any worth recommending and that best practices are avoiding running random scripts you don’t understand, keeping software up to date with package managers, and using virtualization tools. Also look into Portmaster perhaps which is an interactive firewall.

    Meta rant on this subject

    What frustrates me about the answers these questions get is no one ever offers tools comparable to Windows tools, perhaps I think increasingly because they simply don’t exist outside of very expensive subscription enterprise offerings that require plunking down no less than a thousand dollars a year. (Certainly none of the major AV vendors offers consumer Linux versions of their software though most offer enterprise endpoint Linux that comes with the caveat of minimum spends of several hundred dollars if not several thousand a year)

    ClamAV is primarily a definition AV, the very weakest and most useless kind. Sure it’s kind of useful to make sure your file server isn’t passing around year old malware but it’s basically useless for real time prevention of emerging and unknown threats. For that you needs HIPS, behavior control, conditional/mandatory access control, heuristics, etc. ClamAV has one of the worst detection rates in the industry. It’s just laughably bad (often under 60%) so it’s really not a front line contender at all.

    Compare clam to consumer offerings with complex behavioral control like ESET, Kaspersky, etc that offered “suite” software that featured the aforementioned HIPS, behavioral control, complex heuristics to detect and in real time block malware-like behavior (for example accessing and then seeking to upload your keepass database files or starting to surreptitiously encrypt all your user files using RSA4096) and it just isn’t in the same ballpark as anything competently done in the last 20 years.

    I haven’t used or relied on a traditional AV for definition detections for years. They’re worthless, it’s impossible to keep up. The AV’s I’ve deployed are for their heuristics, behavior control, HIPS, etc which actually stops new and emerging and unknown threats or at least puts real obstacles in their way. So what Linux needs, what users need is software like that, forget the traditional virus definitions, something with behavior control, HIPS, and some basic heuristics for “gee this sure looks like malware behavior, better ask the user whether they want and intend this”.

    “Just be smart about what you run” isn’t a realistic solution when people say Linux is for everyone including their tech illiterate relatives. Yes, Linux is a lot safer if you just install things from package managers but that isn’t bulletproof either as we’ve seen a number of spectacular impact upstream malware insertions into build repos for huge software projects in recent years.

    Just maintain back-ups isn’t helpful with smart cryptolocker software which may hide itself for weeks or months and encrypt your files as you back them up. Nor does it protect against account compromise from all your passwords being stolen or a keylogger. Nor does it defend you against persecution after being hit by mercenary/government police-ware and spyware from overreaching governments and makes the bar for them getting evidence you’re an illegal gay person or whatever that much lower technically in terms of capabilities.

    Back-ups are disaster recovery. Everyone should have them but part of a layered defense is preventing the disaster and inconvenience and invasion of privacy and so on before it happens. Having your identity stolen or accounts taken over isn’t as simple as reverting to a back-up, it can result in hours, days of phone calls, emails, stress, hassle, etc that can drag on for weeks or months.

    Portmaster is a start for this type of system control and protection as it’s a very effective interactive firewall but as far as I know there aren’t any consumer available comprehensive behavior control + HIPS type Linux desktop security solutions. There are several vendors of default deny mandatory access control with interactive mode for Windows but none offer solutions for Linux that aren’t part of enterprise sized contracts beyond affordability and reason. If anyone knows otherwise I would love to know of these solutions as I want to implement them on my Linux machines as I am not comfortable with just my network IPS and firewall solutions by themselves without comprehensive end-point security.

    • golden_zealot@lemmy.ml
      link
      fedilink
      English
      arrow-up
      0
      ·
      7 days ago

      There are viruses that are time-bombs. They specifically don’t do really do anything until some criteria is met in the future, such as the current date being beyond a specific date, at which point they proc. They do this in order to make sure they are in your backups when you restore them so that they immediately run when recovery is completed and the system is booted.

      • utopiah@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        6 days ago

        That doesn’t make much sense to me, one backup data, not executables or system. Even if they were to be saved in the backup then they wouldn’t get executed back.

        Anyway, that’s still conceptually interesting but it’s so very niche I’d be curious to hear where it’s being used, any reference to read on where those exist in the wild?

        • golden_zealot@lemmy.ml
          link
          fedilink
          English
          arrow-up
          0
          ·
          edit-2
          6 days ago

          They usually embed themselves in within the system files and have some scheduled job that basically checks for the criteria - if you are only backing up and restoring user data then it’s a non-issue, but if you do a full recovery including the system files/the system scheduler etc, then it can happen, and it is often necessary to backup executable and system files for production environments (true, not so much for individual users and their systems).

          When I was working in an IT shop, one of our clients was ransomwared with this method. The saving grace for us in that instance is that our backups were going to a product that allowed you to easily break open and dissect the compressed backups pre-recovery, so we were able to determine where the malicious files were and kill them before pushing the backups. Of course we only noticed that it was in the backups after we had tried to push the backups once already, so it was quite the timely process - I think I worked for something like 18 hours that day.

          You can read about such malware if you search for “timebomb malware” or “malware does not execute until date” etc.

          The attack is not super common anymore, but still happens.

          For example, here is an article discussing time bomb methods on linkedin.

          https://www.linkedin.com/pulse/time-bombs-malware-delayed-execution-any-run

          Another on the knowbe4 blog:

          https://blog.knowbe4.com/ransomware-can-destroy-backups-in-four-ways

          • utopiah@lemmy.ml
            link
            fedilink
            arrow-up
            0
            ·
            6 days ago

            Thanks, it’s quite interesting but again IMHO it relies on bad practices. If you’ve been compromised and you “restore” (not in an sandboxed environment dedicated to study the threat) then you are asking for trouble. I’ll read a bit more in depth but the timeline I see 1987, 1998, 2017 show me this is a very very niche strategy, to the point that it’s basically irrelevant. Again it’s good to know of it, conceptually, but in practice proper backups (namely of data) remains in my eyes the best way to mitigate most problems, attacks and just back luck (failing hardware, fire, etc) alike.

            • golden_zealot@lemmy.ml
              link
              fedilink
              English
              arrow-up
              0
              ·
              edit-2
              6 days ago

              Oh for sure - I think that this method has more efficacy in production environments ran by small businesses anyway, since best practices are rarely followed in many of them (until something happens that changes their mind on what they budget for haha), and even at that it is still a rare attack to see.

              I am unaware of this type of attack ever occurring on a persons personal network, most likely because so few end users make backups, there is no need to go through the trouble of doing this, making this method useful only in highly targeted attacks.

              We are definitely in agreement on proper backups still being the best method to recover from the vast majority of problems - even this one, depending on the backup solution.

  • sylver_dragon@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    7 days ago

    Ultimately, it’s going to be down to your risk profile. What do you have on your machine which would wouldn’t want to lose or have released publicly? For many folks, we have things like pictures and personal documents which we would be rather upset about if they ended up ransomed. And sadly, ransomware exists for Linux. Lockbit, for example is known to have a Linux variant. And this is something which does not require root access to do damage. Most of the stuff you care about as a user exists in user space and is therefore susceptible to malware running in a user context.

    The upshot is that due care can prevent a lot of malware. Don’t download pirated software, don’t run random scripts/binaries you find on the internet, watch for scam sites trying to convince you to paste random bash commands into the console (Clickfix is after Linux now). But, people make mistakes and it’s entirely possible you’ll make one and get nailed. If you feel the need to pull stuff down from the internet regularly, you might want to have something running as a last line of defense.

    That said, ClamAV is probably sufficient. It has a real-time scanning daemon and you can run regular, scheduled scans. For most home users, that’s enough. It won’t catch anything truly novel, but most people don’t get hit by the truly novel stuff. It’s more likely you’ll be browsing for porn/pirated movies and either get served a Clickfix/Fake AV page or you’ll get tricked into running a binary you thought was a movie. Most of these will be known attacks and should be caught by A/V. Of course, nothing is perfect. So, have good backups as well.

    • Tenderizer78@lemmy.ml
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      7 days ago

      Doesn’t ClamAV only check for Windows viruses that are passing through a Linux server?

      • Zak@lemmy.world
        link
        fedilink
        arrow-up
        0
        ·
        7 days ago

        No. ClamAV can, for example scan Linux ELF executables and its database contains signatures for malware that could affect desktop Linux. The most common use case is servers that are distributing files, but it can be used to scan local files.

        The local use case is fairly rare because malware targeting desktop Linux is rare. That’s partly because Linux users tend to have a better understanding of computers on average than Windows users, and partly because the sort of attack vectors that work well against Windows users don’t align with Linux workflows (e.g. if you want to execute a file sent as an email attachment, you’ll have to save it and set it executable first).

  • DeuxChevaux@lemmy.world
    link
    fedilink
    arrow-up
    0
    ·
    7 days ago

    I run ClamAV regularly, and it has not found anything on my several systems in the last 20 years. Good to know we’re safe, or are we?

    I’m more concerned about rogue browser extensions that may be innocent when you install them, but then change owners, and after an update that you don’t even notice are going to do bad things.

    • monovergent@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      6 days ago

      I’m more concerned about rogue browser extensions that may be innocent when you install them, but then change owners, and after an update that you don’t even notice are going to do bad things.

      Exactly why the only extensions on my browser are uBlock Origin and LibRedirect. Was a victim of one user agent switcher extension that went rogue back in the day.

  • Multiplexer@discuss.tchncs.de
    link
    fedilink
    arrow-up
    0
    ·
    7 days ago

    l have installed ClamTK, but just because my bank has explicitly written in its terms of use that “an antivirus program has to be installed on the PC used for online banking.”
    So I installed one to comply. But that’s it…

    • monovergent@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      6 days ago

      an antivirus program has to be installed on the PC used for online banking

      How would they know?

    • Multiplexer@discuss.tchncs.de
      link
      fedilink
      arrow-up
      0
      ·
      7 days ago

      Just discovered that ClamTK is no longer maintained…
      So I am also interested in alternatives to still be able to appease my bank.

        • Multiplexer@discuss.tchncs.de
          link
          fedilink
          arrow-up
          0
          ·
          7 days ago

          Thanks! Seems that ClamTK has just been a GUI-Wrapper around ClamAV anyway…
          And as I am only interested in installing, and not actually using, CLI-only is also fine!

  • SOULFLY98@slrpnk.net
    link
    fedilink
    English
    arrow-up
    0
    ·
    7 days ago

    Install the apparmor profiles and extra profiles packages from the apt repository. They are sensible restrictions on common apps (web browsers) to prevent anything malicious from happening if they are ever hijacked. Make sure apparmor is enabled. This will do more to keep you secure than an antivirus. Maybe run your browser in a firejail for extra security.

    If you insist on an AV, install ClamAV and have it scan weekly. It’s libre software and works well with Linux.