Q&A How to Detect Linux Viruses

themuh

New Member
Sep 27, 2019
2
As you know lots of security companies has antivirus product in windows os but in linux or unix based os this is rare(maybe I am not aware of). Here my questions about it:

How do you detect linux malwares? Do you have any agent based solution in your system?
How do you hunt linux malwares in your system?

Ps: This my first post here, I tried to search any similiar topic and could not see any similiar topic. If I am somehow creating duplicate topic or not aplicable for website policy, I have no intend to do this. Sorry for it.

Regards
 

MacDefender

Level 14
Verified
Oct 13, 2019
694
There is quite a lot of Linux malware on URLShare. Most of it is for Linux actually. Many Windows products will detect Linux threats as well.
Eset, COMODO and F-Secure have linux versions and some endpoint products too, such as Kaspersky.

Yeah my Fortinet flags a lot of Linux malware, usually some of the Mozi botnet compiled for ARM: Mozi worm

Since it mostly is targeted towards internet-facing devices, I have a policy that internet-facing servers must be on a different subnet and undergo full SSL decryption/inspection by the Fortinet, which includes AV scanning.

I've honestly rarely seen Linux client malware, certainly not enough of it to justify installing an antivirus program on the client. Most of the times I've found the Windows versions of popular AV software does fine at detecting Linux malware, it doesn't seem like they turn off the Linux or macOS signatures on other platforms.

Your biggest Linux threat seems to be IoT device vulnerabilities. I see a ton of attempts to exploit router web configuration vulnerabilities.
 
F

ForgottenSeer 89360

Yeah my Fortinet flags a lot of Linux malware, usually some of the Mozi botnet compiled for ARM: Mozi worm

Since it mostly is targeted towards internet-facing devices, I have a policy that internet-facing servers must be on a different subnet and undergo full SSL decryption/inspection by the Fortinet, which includes AV scanning.

I've honestly rarely seen Linux client malware, certainly not enough of it to justify installing an antivirus program on the client. Most of the times I've found the Windows versions of popular AV software does fine at detecting Linux malware, it doesn't seem like they turn off the Linux or macOS signatures on other platforms.

Your biggest Linux threat seems to be IoT device vulnerabilities. I see a ton of attempts to exploit router web configuration vulnerabilities.
I agree, running an AV on linux is not worth it :D
 

themuh

New Member
Sep 27, 2019
2
I agree with some of your thought but if we think about targeted attack it is also possible to see linux malwares. Maybe we won't need for 364 day but just for 1 day it worth it I think.

I also care about visibility. You & we need to be able to detect malware or suspicious activity in your system. So hunting also matters for me.

As you said lot of products mostly specialized for Windows malwares. But I also care about linux specialized malwares. Linux based enviroments also really common in world wide.
 

MacDefender

Level 14
Verified
Oct 13, 2019
694
I agree with some of your thought but if we think about targeted attack it is also possible to see linux malwares. Maybe we won't need for 364 day but just for 1 day it worth it I think.

I also care about visibility. You & we need to be able to detect malware or suspicious activity in your system. So hunting also matters for me.

As you said lot of products mostly specialized for Windows malwares. But I also care about linux specialized malwares. Linux based enviroments also really common in world wide.
Totally agreed just because you run Linux doesn't mean you don't need security services but right now there's not really any compelling "set it and forget it" Linux antimalware software. Most of them scan for known malware but these days it requires so much more than that.

My best advice there is to look at Linux distributions that use AppArmor and SELinux style mandatory access control. Then, make sure that for any applications or servers that you use that don't have a pre-made set of hardened rules, to create some yourself, then log all violations to somewhere you'll check. Finally, like with any other system, you want your network-level firewall to perform indicator-of-compromise detection via an IPS or another UTM style network traffic reputation service.
 

vonvon

Level 1
Nov 25, 2014
32
To avoid cross-contamination between Linux-Windows-Macos by my grandchildren; I am using Dr.Web for Linux with resident protection and network filter. Lightweight, not too expensive and reassuring.
Perhaps it paranoid, but they are teenagers and very active with computers and internet.
 

mazskolnieces

Level 3
Jul 25, 2020
116
To avoid cross-contamination between Linux-Windows-Macos by my grandchildren; I am using Dr.Web for Linux with resident protection and network filter. Lightweight, not too expensive and reassuring.
Perhaps it paranoid, but they are teenagers and very active with computers and internet.
Teenagers on Linux --> Dr Web for Linux --> Not paranoid, but reasonable and common sense

All the vendors got rid of their home user Linux AVs except ESET and Dr Web. ESET is not compatible with Selinux or AppArmor so they have to be disabled. Dr Web is compatible with both Selinux and AppArmor. The enterprise AV for Linux all require minimum 5 seat purchases and are expensive. For example, Kaspersky for Linux is $300+. Dr Web is the optimal option out there right now.

Unbeknownst to most is that there has been a proliferation of Linux malware and attacks over the past 10 years. Routers, embedded systems and the ever increasing use of Linux for industrial controllers, the attackers have made targeted short work of it. A Linux server or router are a very high value target. Huge return on investment for the attackers. Linux workstations being used by consumers, pretty much a waste of time for those in it for espionage or money.
 

mazskolnieces

Level 3
Jul 25, 2020
116
ClamAV on linux has on-access scanning capability. Though, its protection seems mediocre and has only been catching half of the .elf files I have downloaded from malware bazaar.
ClamAV low detection is no surprise.

Dr Web detects most files and URLs on the popular sites. I'm not saying it is the best for Linux nor recommending anyone use it. However, given the fact that it is the only common sense choice for consumers, it isn't as if they have much choice unless they're willing shell out hundreds of dollars for an enterprise Linux solution. Just making an observation.

The thing about Linux malware is that one has to be doing some off-the-wall downloading. What I see is a 16 year old out on the web just looking for stuff then downloading it - more or less indiscriminately because they want to either check out or want the benefit of whatever they downloaded. One has to really go out of their way to land on a malicious webpage targeting Linux.
 

Chigwells

Level 3
Jan 16, 2012
134
I'm just looking to move over to Linux and this is a helpful thread for me. After reading vonvon's post on Dr Web for Linux and mazskolnieces's reply I did a quick online search.

Tecmint offer a seemingly good article The 8 Best Free Anti-Virus Programs for Linux and of the offerings, Sophos and Comodo were attractive whereas ClamAv I've tried on Windows in the past and wasn't impressed.

However down in the comments were some additional insights:

"Sophos has, apparently, discontinued the free anti-virus – as of July this year. Very disappointed now looking for a replacement." - December 2020

"Comodo Antivirus for Linux (CAVL) requires libsssl0.9.8 which was deprecated ~3 years ago. Installing this will make your system LESS secure than if you installed the AV app. [...] Aaron, given this post, is about improving your system’s security, you should remove Comodo from this list, it is a poor recommendation."

And then one of the Tecmint team jump in: "[...] you can try Lynis 2.5.5 Released – Security Auditing and Scanning Tool for Linux System: Lynis 2.5.5 Released - Security Auditing and Scanning Tool for Linux Systems"

It seems there's lots to learn about in this new world :sneaky:
 

Chigwells

Level 3
Jan 16, 2012
134
I've honestly rarely seen Linux client malware, certainly not enough of it to justify installing an antivirus program on the client.
My best advice there is to look at Linux distributions that use AppArmor and SELinux style mandatory access control.
Thanks I'll look into AppArmor. MacDefender by client you mean like an end user or home user pc?
 
  • Like
Reactions: Nevi and venustus

MacDefender

Level 14
Verified
Oct 13, 2019
694
Thanks I'll look into AppArmor. MacDefender by client you mean like an end user or home user?
by client I mean desktop Linux. As in, not a server, not a router, not an embedded IoT device.


I highly recommend making sure all your commonly used apps have a sandbox profile in AppArmor and if not, make one for them. Additionally I recommend creating some restricted policies for handling less trusted files. I usually have a profile that disallows network and another one that disallows almost everything except for a temporary working directory. The latter is great for running completely not trusted executables.
 

FALC0N

New Member
Mar 29, 2021
9
I think some people in this thread are selling NOD32 for Linux short. I think its easily the best consumer targeted Linux AV as long as you are not using AppArmor, which a lot of people are not.
 
  • Like
Reactions: Chigwells

shmu26

Level 85
Verified
Trusted
Content Creator
Jul 3, 2015
8,080
The vast majority of linux malware is targeting servers, not desktop home users.
The main point of linux AV is to detect Windows-based malware, so you don't infect a Windows machine by passing on files from linux to windows.
If you download windows malware on linux, it can't run, and thus cannot infect your dual-boot system (if you have one), but you could email it to someone, or copy it over to your windows installation. Or you could infect your virtual machine, if it is running windows.
 

mlnevese

Level 24
Verified
May 3, 2015
1,389
A simple rule for modern malware is that it will follow the money. There is no money to be made from Linux home users, the market share is too low and the return of their investment would be dubious, at best. Servers are a completely different story.
 
Top