Anti-malware for my personal Debian workstation?

classic Classic list List threaded Threaded
53 messages Options
123
Reply | Threaded
Open this post in threaded view
|

Anti-malware for my personal Debian workstation?

l0f4r0
Hi,

I understand the pro of having a Linux antivirus on a Linux server, especially a mail or file server.
However I'm writing to you here for a personal Linux workstation (Debian 10) and I think I have a rather safe higiene on the internet globally already (I'm really careful on what I click on or download or configure).

Considering the fact I am human so not perfect at all + other notions like defense in depth / layered defense... would you recommend having a Linux anti-malware?

If so, what do you think please about:
* ClamAV?
* Sophos antivirus for Linux?
* Comodo antivirus for Linux?
* F-Prot antivirus for Linux Workstations?

These are the only free (as in free beer) solutions I've found for Linux. Do you have other suggestions?

My criteria are:
* maintained software with frequent signatures updates
* $ free (OSS would be the icing on the cake)
* renowned in its sector* no bloatware (I prefer if it's lightweight. I don't care if there is no GUI)* resident protection would be nice. At least it should scan my downloads on the fly and proceed to automatic scans at regular intervals
Besides, do I really need an anti-rootkit solution like chkrootkit or Rootkit Hunter?

Thanks a lot in advance :)
Best regards,
l0f4r0

Reply | Threaded
Open this post in threaded view
|

Re: Anti-malware for my personal Debian workstation?

tomas@tuxteam.de
On Sun, Feb 23, 2020 at 09:47:18AM +0100, [hidden email] wrote:
> Hi,
>
> I understand the pro of having a Linux antivirus on a Linux server, especially a mail or file server.
> However I'm writing to you here for a personal Linux workstation (Debian 10) and I think I have a rather safe higiene on the internet globally already (I'm really careful on what I click on or download or configure).
>
> Considering the fact I am human so not perfect at all + other notions like defense in depth / layered defense... would you recommend having a Linux anti-malware?

No.

Keep your system up to date. Be reasonably careful with
executable content downloaded off the 'net (javascript,
I'm looking at you, but also pdf, random instructions to
do "curl foo://bar | sudo bash -" or something). Do backups.

Cheers
-- t

signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Anti-malware for my personal Debian workstation?

Ivan Jurišić
In reply to this post by l0f4r0

My choice is ClamAV. Easy for use and configure.

 


Dana 2020-02-23 09:47, [hidden email] je napisao(la):

Hi,

I understand the pro of having a Linux antivirus on a Linux server, especially a mail or file server.
However I'm writing to you here for a personal Linux workstation (Debian 10) and I think I have a rather safe higiene on the internet globally already (I'm really careful on what I click on or download or configure).

Considering the fact I am human so not perfect at all + other notions like defense in depth / layered defense... would you recommend having a Linux anti-malware?

If so, what do you think please about:
* ClamAV?
* Sophos antivirus for Linux?
* Comodo antivirus for Linux?
* F-Prot antivirus for Linux Workstations?

These are the only free (as in free beer) solutions I've found for Linux. Do you have other suggestions?

My criteria are:
* maintained software with frequent signatures updates
* $ free (OSS would be the icing on the cake)
* renowned in its sector* no bloatware (I prefer if it's lightweight. I don't care if there is no GUI)* resident protection would be nice. At least it should scan my downloads on the fly and proceed to automatic scans at regular intervals
Besides, do I really need an anti-rootkit solution like chkrootkit or Rootkit Hunter?

Thanks a lot in advance :)
Best regards,
l0f4r0

Reply | Threaded
Open this post in threaded view
|

Re: Anti-malware for my personal Debian workstation?

mlnl
In reply to this post by l0f4r0
Hi [hidden email],

[hidden email] wrote:

>Considering the fact I am human so not perfect at all + other notions
>like defense in depth / layered defense... would you recommend having
>a Linux anti-malware?

I have used clamav, linux malware detect with 3rd party repos like
sanesecurity just for fun and for some time to see, what you can do
beside commercial products. I had only a few postive, Windows related
matches and a lot of false positives - and think about the 0-day
problem with all anti-malware or the capabilities of state
sponsored cracker groups or CNA/CNE groups inside military/civil
state organizations ;)

I think, it is more important & usefull to audit & harden/secure your
system, kernels (KSPP), services and applications with IDS/IPS (e. g.
Samhain), MACs like AppArmor, systemd-analyze security unit, secured
sudoers file, use of additional 2FA tokens and so on...

--
mlnl

Reply | Threaded
Open this post in threaded view
|

Re: Anti-malware for my personal Debian workstation?

Philippe LeCavalier


On Sun, Feb 23, 2020, 07:03 mlnl <[hidden email]> wrote:
Hi [hidden email],

[hidden email] wrote:

>Considering the fact I am human so not perfect at all + other notions
>like defense in depth / layered defense... would you recommend having
>a Linux anti-malware?

I have used clamav, linux malware detect with 3rd party repos like
sanesecurity just for fun and for some time to see, what you can do
beside commercial products. I had only a few postive, Windows related
matches and a lot of false positives - and think about the 0-day
problem with all anti-malware or the capabilities of state
sponsored cracker groups or CNA/CNE groups inside military/civil
state organizations ;)

I think, it is more important & usefull to audit & harden/secure your
system, kernels (KSPP), services and applications with IDS/IPS (e. g.
Samhain), MACs like AppArmor, systemd-analyze security unit, secured
sudoers file, use of additional 2FA tokens and so on...

--
mlnl
I've been using Sophos since it came out and clamav for many years prior and I prefer Sophos.

I definitely disagree with merely doing backups and updates. You could say the same for any OS. That is no means of keeping yourself safe.
Reply | Threaded
Open this post in threaded view
|

Re: Anti-malware for my personal Debian workstation?

Nicholas Geovanis-2
In reply to this post by mlnl

On Sun, Feb 23, 2020, 6:03 AM mlnl <[hidden email]> wrote:

I think, it is more important & usefull to audit & harden/secure your
system, kernels (KSPP), services and applications with IDS/IPS (e. g.
Samhain), MACs like AppArmor, systemd-analyze security unit, secured
sudoers file, use of additional 2FA tokens and so on...

I agree with this strongly. I believe AppArmor is enabled and configured properly at install on recent Ubuntu. I stick with it. I worked with true MAC before SElinux, but I became a fan of RedHat's targeted-mode (IIRC), it's easier to administer than a true full SElinux environment but not necessarily intended for multi-user-login environments.

Also don't ignore Extended ACLs, though Im not sure if all filesystem types support them. They became standardised in SysV unix but not broadly used.

My hope is that some type of MAC becomes standard, default installation of linux someday. But not many agree with me I guess. I dont believe that the added administration work is a net loss. I dont find it any more complex than other admin work.

--
mlnl

Reply | Threaded
Open this post in threaded view
|

Re: Anti-malware for my personal Debian workstation?

mlnl
In reply to this post by Philippe LeCavalier
Hi Philippe,

Philippe LeCavalier <[hidden email]> wrote:

>I definitely disagree with merely doing backups and updates. You could
>say the same for any OS. That is no means of keeping yourself safe.

I agree. I have not witten about backups & updates - they are obvious
and so not worth to mention.

--
mlnl

Reply | Threaded
Open this post in threaded view
|

Re: Anti-malware for my personal Debian workstation?

deloptes-2
In reply to this post by Ivan Jurišić
Ivan Jurišić wrote:

> My choice is ClamAV. Easy for use and configure.
>

but without commercial antivirus database updates, you can not do much.

I also think those are usable for servers and businesses with multiple
users. Otherwise it simply does not pay off.



Reply | Threaded
Open this post in threaded view
|

Re: Anti-malware for my personal Debian workstation?

Stefan Monnier
In reply to this post by l0f4r0
> defense in depth / layered defense... would you recommend having a Linux
> anti-malware?

No.  All those only try to recognize known threats.  When a threat is
known, the security hole it exploits is also known, and the fix for it
already exists as well, so updating your distribution to the latest
security fixes is a better solution since it doesn't just protect you
from those known threats but it also protects you from unknown threats
using the same security holes.


        Stefan

Reply | Threaded
Open this post in threaded view
|

Re: Anti-malware for my personal Debian workstation?

Philippe LeCavalier


On Sun, Feb 23, 2020, 14:04 Stefan Monnier <[hidden email]> wrote:
> defense in depth / layered defense... would you recommend having a Linux
> anti-malware?

No.  All those only try to recognize known threats.  When a threat is
known, the security hole it exploits is also known, and the fix for it
already exists as well, so updating your distribution to the latest
security fixes is a better solution since it doesn't just protect you
from those known threats but it also protects you from unknown threats
using the same security holes.


        Stefan
That's not true. Sophos has ai learning and threat analysis mitigation tactics built in.
Phil
Reply | Threaded
Open this post in threaded view
|

Re: Anti-malware for my personal Debian workstation?

Ben Lavender
In reply to this post by mlnl
I agree with this deeply. It's surprising the amount of machines I see
that have some fancy subscription-based and expensive AV but have the
firewalls, SELinux, UAC disabled along with weak filesystem and sharing
ACLs.

It's fine to get a good AV running on the system but they don't detect
all malware, and I've always run with that being something like 50% of
malware being detected.

Good security practices is the best first line of defence, believe me
I've seen the evidence when it's not.

On 23/02/2020 12:02, mlnl wrote:

> Hi [hidden email],
>
> [hidden email] wrote:
>
>> Considering the fact I am human so not perfect at all + other notions
>> like defense in depth / layered defense... would you recommend having
>> a Linux anti-malware?
> I have used clamav, linux malware detect with 3rd party repos like
> sanesecurity just for fun and for some time to see, what you can do
> beside commercial products. I had only a few postive, Windows related
> matches and a lot of false positives - and think about the 0-day
> problem with all anti-malware or the capabilities of state
> sponsored cracker groups or CNA/CNE groups inside military/civil
> state organizations ;)
>
> I think, it is more important & usefull to audit & harden/secure your
> system, kernels (KSPP), services and applications with IDS/IPS (e. g.
> Samhain), MACs like AppArmor, systemd-analyze security unit, secured
> sudoers file, use of additional 2FA tokens and so on...
>

Reply | Threaded
Open this post in threaded view
|

Re: Anti-malware for my personal Debian workstation?

Reco
In reply to this post by Philippe LeCavalier
        Hi.

On Sun, Feb 23, 2020 at 02:07:00PM -0500, Philippe LeCavalier wrote:

> On Sun, Feb 23, 2020, 14:04 Stefan Monnier <[hidden email]> wrote:
>
> > > defense in depth / layered defense... would you recommend having a Linux
> > > anti-malware?
> >
> > No.  All those only try to recognize known threats.  When a threat is
> > known, the security hole it exploits is also known, and the fix for it
> > already exists as well, so updating your distribution to the latest
> > security fixes is a better solution since it doesn't just protect you
> > from those known threats but it also protects you from unknown threats
> > using the same security holes.
>
> That's not true. Sophos has ai learning and threat analysis mitigation
> tactics built in.

An impressive mitigation tactic indeed [1]:

September 2012: Sophos' anti-virus suite identified various
update-mechanisms, including its own, as malware. If it was configured
to automatically delete detected files, Sophos Antivirus could render
itself unable to update, required manual intervention to fix the
problem.


That and promoting non-free software here, at this list? Boo.

[1] https://en.wikipedia.org/wiki/Antivirus_software

Reco

Reply | Threaded
Open this post in threaded view
|

Re: Anti-malware for my personal Debian workstation?

Philippe LeCavalier


On Sun, Feb 23, 2020, 15:13 Reco <[hidden email]> wrote:
        Hi.

On Sun, Feb 23, 2020 at 02:07:00PM -0500, Philippe LeCavalier wrote:
> On Sun, Feb 23, 2020, 14:04 Stefan Monnier <[hidden email]> wrote:
>
> > > defense in depth / layered defense... would you recommend having a Linux
> > > anti-malware?
> >
> > No.  All those only try to recognize known threats.  When a threat is
> > known, the security hole it exploits is also known, and the fix for it
> > already exists as well, so updating your distribution to the latest
> > security fixes is a better solution since it doesn't just protect you
> > from those known threats but it also protects you from unknown threats
> > using the same security holes.
>
> That's not true. Sophos has ai learning and threat analysis mitigation
> tactics built in.

An impressive mitigation tactic indeed [1]:

September 2012: Sophos' anti-virus suite identified various
update-mechanisms, including its own, as malware. If it was configured
to automatically delete detected files, Sophos Antivirus could render
itself unable to update, required manual intervention to fix the
problem.


That and promoting non-free software here, at this list? Boo.

[1] https://en.wikipedia.org/wiki/Antivirus_software

Reco

Mistakes happen. Dear mongering is a more useless tactic ;) you can point a bad scenario in every single product or project imaginable. It is inevitable.

Reply | Threaded
Open this post in threaded view
|

Re: Anti-malware for my personal Debian workstation?

Stefan Monnier
In reply to this post by Philippe LeCavalier
>> > defense in depth / layered defense... would you recommend having a Linux
>> > anti-malware?
>> No.  All those only try to recognize known threats.  When a threat is
>> known, the security hole it exploits is also known, and the fix for it
>> already exists as well, so updating your distribution to the latest
>> security fixes is a better solution since it doesn't just protect you
>> from those known threats but it also protects you from unknown threats
>> using the same security holes.
> That's not true.

Which part?

> Sophos has ai learning and threat analysis mitigation tactics built in.

In which way does it make my statement false?

And more importantly, are there known cases where it detected an attack
before the corresponding security hole had been found?  How common are
those cases, compared to the added risk (and performance and resource
cost) of running that software?


        Stefan

Reply | Threaded
Open this post in threaded view
|

Re: Anti-malware for my personal Debian workstation?

Philippe LeCavalier


On Sun, Feb 23, 2020, 17:28 Stefan Monnier <[hidden email]> wrote:
>> > defense in depth / layered defense... would you recommend having a Linux
>> > anti-malware?
>> No.  All those only try to recognize known threats.  When a threat is
>> known, the security hole it exploits is also known, and the fix for it
>> already exists as well, so updating your distribution to the latest
>> security fixes is a better solution since it doesn't just protect you
>> from those known threats but it also protects you from unknown threats
>> using the same security holes.
> That's not true.

Which part?

> Sophos has ai learning and threat analysis mitigation tactics built in.

In which way does it make my statement false?

And more importantly, are there known cases where it detected an attack
before the corresponding security hole had been found?  How common are
those cases, compared to the added risk (and performance and resource
cost) of running that software?


        Stefan
You want to debate the validity of running av on any system these days is ridiculous and not a conversation I want to be part of.

Reply | Threaded
Open this post in threaded view
|

Re: Anti-malware for my personal Debian workstation?

deloptes-2
Philippe LeCavalier wrote:

>> > Sophos has ai learning and threat analysis mitigation tactics built in.
>>
>> In which way does it make my statement false?
>>
>> And more importantly, are there known cases where it detected an attack
>> before the corresponding security hole had been found?  How common are
>> those cases, compared to the added risk (and performance and resource
>> cost) of running that software?
>>
>>
>> Stefan
>>
> You want to debate the validity of running av on any system these days is
> ridiculous and not a conversation I want to be part of.

I think you missed that he said "compared to", which is not exactly what you
mean. I think the discussion and question is valid.

Reply | Threaded
Open this post in threaded view
|

Re: Anti-malware for my personal Debian workstation?

tomas@tuxteam.de
In reply to this post by Philippe LeCavalier
On Sun, Feb 23, 2020 at 02:07:00PM -0500, Philippe LeCavalier wrote:

> On Sun, Feb 23, 2020, 14:04 Stefan Monnier <[hidden email]> wrote:
>
> > > defense in depth / layered defense... would you recommend having a Linux
> > > anti-malware?
> >
> > No.  All those only try to recognize known threats.  When a threat is
> > known, the security hole it exploits is also known, and the fix for it
> > already exists as well, so updating your distribution to the latest
> > security fixes is a better solution since it doesn't just protect you
> > from those known threats but it also protects you from unknown threats
> > using the same security holes.
> >
> >
> >         Stefan
> >
> That's not true. Sophos has ai learning and threat analysis mitigation
> tactics built in.
And a lot of snake oil to boot. I totally agree with Stefan: for an OS
with a working and transparent patch/release cycle, "classical" AV
strategy is nonsense.

Besides, the real threats are elsewhere these days, cf. [1] (hint:
the data you care about isn't in /usr/bin).

Cheers

[1] https://xkcd.com/1200/

-- tomás

signature.asc (205 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Anti-malware for my personal Debian workstation?

Stefan Monnier
In reply to this post by Philippe LeCavalier
> You want to debate the validity of running av on any system these days is
> ridiculous

Then it should be trivial to prove me wrong by pointing to the large
body of evidence to support your claim.


        Stefan

Reply | Threaded
Open this post in threaded view
|

Re: Anti-malware for my personal Debian workstation?

Greg Wooledge
In reply to this post by tomas@tuxteam.de
On Mon, Feb 24, 2020 at 10:03:58AM +0100, [hidden email] wrote:
> I totally agree with Stefan: for an OS
> with a working and transparent patch/release cycle, "classical" AV
> strategy is nonsense.

The only sensible use of an anti-virus program on Linux is on a mail
server (or certain kinds of firewalls/proxies), to detect Windows viruses
that are passing through.

The use of an anti-virus program on Linux, which attempts to detect
Linux viruses, is patently ridiculous.  There just *aren't* any.  That
isn't the threat model that you need to worry about.

When you're talking about Linux security, on desktops, you're mostly
looking for holes in web browsers, office suites, media players, etc.

On Linux servers, you're looking for holes in the network services
that are exposed to the world.

Reply | Threaded
Open this post in threaded view
|

Re: Anti-malware for my personal Debian workstation?

l0f4r0
Hi,

Thank you everybody for your answers.

I understand most of you respondents don't use anti-malware at all. A good hygiene or other kind of solutions like system hardening (AppArmor, SELinux) are way more efficient.

NB : I've been told SELinux is so complex, people eventually let it drop... Do you all succeed in configuring & using it? ;)

Do you follow any guide or tool to help you in hardening your Linux distro?
I've used Lynis for the audit part, it's nicely done. What do you think about it?

Anti-malware on Windows is common/best practice. However, as we are discussing it here, things seem to be different with Linux. I don't really think Linux is intrinsically more secure than Windows nowadays (a vulnerability remains as such) but I really think Linux ecosystem is. Here are some reasons that could explain that according to me:
* Most softwares are downloaded through official preconfigured repositories. Users are less prone to download malware on suspicions websites
* Updates are easier as well because tracked/centralized through repositories themselves for the most part. On Windows you need to check Windows Update + Windows Store + each application individually
* Linux users are globally more tech-savvy so they take care more about their systems
* Open source is more common on Linux (community-based) than Windows (money-based) so theoretically anyone competent enough could view the source by oneself and spot a malovelent behavior (/!\ in practice this is not so easy, see what happened with OpenSSL / HeartBleed)
* Linux desktops are less exposed : it's more lucrative for black hats to target Windows users with malware (see desktop marketshares). However this is only half of an argument because Linux server marketshares are quite the opposite!
* Until some years ago, I would have added that Linux is more secured by design (least privilege, compartmentalization) than Windows but I think this is not so true now, Windows has cought up apparently...
=> What is your opinion?

Thank you & Best regards,
l0f4r0

123