1
Linux Antivirus? (lemmy.wtf)
submitted 3 weeks ago by UNY0N@lemmy.wtf to c/linux@lemmy.world
14 comments fedilink hide all child comments

I'm about to install bazzite on my wife's older (2017) Windows 10 machine, and I've been going over how to recreate everything she currently has. Most programs (even proprietary ones) are not an issue, but I'm not finding much in the antivirus department.

I never even thought to install one on my Linux machine (also on bazzite, but I have used other distros in the past). So although I am no stranger to Linux, this issue blindsided me.

I know clamav exists, and I'm educating myself on how to use it, but a GUI would be nice for the wife. She's not afraid of the terminal, but she likes the convenience of GUI programs.

Any suggestions? What do you use? Or is it just generally accepted that one should be careful and keep things up-to-date and that's enough?

top 14 comments
sorted by: hot top controversial new old
[-] ToxicWaste@lemmy.cafe 1 points 2 weeks ago

I like to consider myself part of the exclusive and oh so elite club of linux users. everyone here saying that AV is not needed, because the best security is not to be stupid, is right. but is your grandma tech literate enough to not do stupid things on her computer? your teenage son?

as the linux user base grows, the platform becomes more interesting of a target. even for stupid attacks. and lets be honnest: lots of legitimate open source projects still use an install script to curl and pipe into the terminal as a suggested method to install. which is just horrible!

while an anti malware is a patch. it is the last line of defense after a stupid mistake. so it would be great to have an actual desktop AV for linux. eset used to sell one but it is long out of service.

i use clamAV. but i maintain it for the family, so it is not as simple as telling them exactly what to install and run with default configs.

anyway, for those interested: here are two videos of malware attacks against lunux in rather different fashions:

[-] lka1988@lemmy.dbzer0.com 0 points 2 weeks ago* (last edited 2 weeks ago)

The best Linux antivirus is a healthy dose of dontclickshit.bin.

She’s not afraid of the terminal, but she likes the convenience of GUI programs.

Your wife appears to have the same preferences as I do. I don't mind using the terminal (I usually have one open any time I'm using my laptop or PC), but some things are far simpler in a GUI.

[-] Neptr@lemmy.blahaj.zone 0 points 3 weeks ago* (last edited 3 weeks ago)

An antivirus is mostly unnecessary when care is taken to not install or use untrusted software. If you install everything as a Flatpak (and modify some of the default permissions), you can avoid allowing software to gain much access to her computer.

While I think people suggesting Linux is immune to malware is stupid, for reasons such as it is "too secure" or "too niche" to be effected by malware, anti malware is like a bandaid to a gaping wound. If you have malware, it is already too late and you should first unplug the device from the network and any connected devices, backup any important data, and fresh reinstall by overwriting the infected install.

If you still think you need some way to defend against malware, use the VirusTotal website, or a native Flatpak called Lenspect, to upload and scan files (such as an executable binary). Lenspect requires no permissions other than network access, so it is safe and the only risk is if you input a file containing personal data it will be uploaded to VirusTotal.

Though to stress again, antivirus is a bandaid! The real solution is to be smart about what you install and only take stuff from trusted sources. Try to make sure everything is a Flatpak and avoid apps with excessive permissions, which weaken the security of the sandbox.

[-] r00ty@kbin.life 0 points 3 weeks ago

I think there's a few aspects to this whole subject.

First of all for a long time people have thought Linux not to be the target of malware. I would say that it has been a target and it has been for decades. I recall in the late 90s a Linux server at work was attacked, had a rootkit, IRC trojan and attack kit installed by script kiddies in Brazil. I think the nearest you can say is that desktop users aren't usually a target, which is mostly true. But with the share of desktop installs hitting a high recently we should expect that to change.

Second I think most windows antivirus products (including the built in one) are doing some active useful things. Most of these are not relevant on Linux (we generally don't run setup.exe from random websites). However! Here's where things get interesting. The rise of flatpak and other containerised applications. These I would say are very similar to setup.exe, and would make it trivial to embed malware into such a file. A Linux virus scanner could be checking these. Also we've seen direct attacks on distro repositories lately. I don't expect this to slow down. We are most certainly a target now.

Third, the other reason most Linux users don't use virus scanners is because they're usually technical people who would recognise (usually) something wrong and investigate/spot the malware. I would say two things are changing here. Simpler to install distros are bringing in less technical people to Linux and, the number of processes running on a machine doing effectively nothing in a desktop environment is way higher than it used to be. So technical people can be caught off guard. Also, a rootkit can hide all of these clues if done well.

So I would say there's a really good space to have a well made virus scanner/antivirus now. It is probably the right time for it.

[-] squaresinger@lemmy.world -1 points 2 weeks ago

we generally don’t run setup.exe from random websites

We do run .deb/.rpm files from random websites though. And you mentioned flatpak too. Appimage is quite popular too, and afaik that doesn't have any built-in sandboxing at all.

[-] r00ty@kbin.life 0 points 2 weeks ago

We do run .deb/.rpm files from random websites though.

In general with Linux sites with deb/rpm/etc files would usually include hashes for the genuine versions etc. Not to say the actual author of these could be malicious.

And you mentioned flatpak too. Appimage is quite popular too, and afaik that doesn't have any built-in sandboxing at all.

Even with sandboxing, they generally need access to save files/load files etc from the host environment. Where are these connections defined? Could a malicious actor for example grant their malicious appimage/flatpak more access? Genuine questions, I've never looked into how these work.

[-] Neptr@lemmy.blahaj.zone 1 points 2 weeks ago

AppImages have no sandboxing as you said. They also rely on the deprecated SUID-root binary FUSE2. AppImages are bad for security but they are convenient. A malicious AppImage could for example connect to org.freedesktop.secrets and access your keychain, or run a script that places a script called "sudo" in $HOME/.local/share/bin that is preferred over the real sudo and logs a password, or encrypt your files in a ransomware attack, or exfiltrate your session cookies from Firefox or Chromium browsers.

Flatpaks on the other hand are sandboxed. IIRC Flatpaks can't access other Flaptak's data folders in $HOME/.var/app (maybe even if home access is given?), but if given access to the "home" permission they can read and write to anywhere else in the user home, so stealing session cookies from a browser or ransomware could still be possible given the right permission. Modern apps that are designed to work as Flatpaks can use the xdg-desktop-portal to access only specific files/dirs upon user request, but it is only temporary access to a file. All the ways a Flatpak can access the system are defined by its permissions, so by giving more/dangerous permissions (such as devices or full filesystem access) a malicious app can possibly escape the sandbox and access arbitrary permissions. The worst permission an app can have is access to session bus for org.freedesktop.Flatpak, which allows it to arbitrary permissions, host command execution, and access to Flatpak configuration.

[-] Neptr@lemmy.blahaj.zone 1 points 2 weeks ago* (last edited 2 weeks ago)

There is more to xdg-desktop-portal than I said, it is quite powerful.

https://wiki.archlinux.org/title/XDG_Desktop_Portal

https://flatpak.github.io/xdg-desktop-portal/docs/

This Flatpak shows the power of portals on your system, while also requiring no permissions at all: https://flathub.org/en/apps/com.belmoussaoui.ashpd.demo

Same with this one, but it requires arbitrary permissions: https://flathub.org/en/apps/xyz.tytanium.DoorKnocker

[-] squaresinger@lemmy.world -1 points 2 weeks ago

The "too niche" part is really weird to me. There's an estimated 2 billion PCs in use right now. ~3% of that are running some form of Desktop Linux OS, so roughly 60 million.

Incidentally, that's exactly the same number as the total number of Win95 licenses sold, and I can't recall Win95 being "too niche" for malware. Quite the opposite.

[-] lka1988@lemmy.dbzer0.com 0 points 2 weeks ago* (last edited 2 weeks ago)

Incidentally, that’s exactly the same number as the total number of Win95 licenses sold, and I can’t recall Win95 being “too niche” for malware. Quite the opposite.

In Win95 days, "always online" was simply not a thing for the average household. Getting on the Internet - if you even had a connection at all - was equivalent to making a phone call, in that you "called in" to do the thing you wanted to do, then "hung up" when you were done (yes, I know dial-up did almost exactly that in practice, but it's still a good analogy).

Being "always online" is relatively recent, and anything online is going to be vulnerable to malware at some point in its life. Security patches need to keep up with that.

[-] squaresinger@lemmy.world -1 points 2 weeks ago

Exactly, and still the 60 million copies sold (of which maybe a quarter or so actually ever went online) was more than enough to make Win95 comically malware-infested.

I'd venture to say that close to every one of the 60 million copies of Desktop Linux OSes running goes online frequently, so there's much more potential Linux targets than there ever were Win95 targets. That's why I'm saying the "Linux is to niche to get malware" argument doesn't really work.

[-] lka1988@lemmy.dbzer0.com 0 points 2 weeks ago

OS security has gotten far better though, and there are a literal shitton more devices to target (like IOT crap) than someone's slighty out-of-date Linux install.

[-] squaresinger@lemmy.world -1 points 2 weeks ago

But targets differ in value. Hack an IOT device and you can send some spam from it. Hack someone's PC and you can ransomware their family pictures or steal their crypto crap.

this post was submitted on 24 Nov 2025
1 points (100.0% liked)

Linux

14363 readers
11 users here now

Welcome to c/linux!

Welcome to our thriving Linux community! Whether you're a seasoned Linux enthusiast or just starting your journey, we're excited to have you here. Explore, learn, and collaborate with like-minded individuals who share a passion for open-source software and the endless possibilities it offers. Together, let's dive into the world of Linux and embrace the power of freedom, customization, and innovation. Enjoy your stay and feel free to join the vibrant discussions that await you!

Rules:

  1. Stay on topic: Posts and discussions should be related to Linux, open source software, and related technologies.

  2. Be respectful: Treat fellow community members with respect and courtesy.

  3. Quality over quantity: Share informative and thought-provoking content.

  4. No spam or self-promotion: Avoid excessive self-promotion or spamming.

  5. No NSFW adult content

  6. Follow general lemmy guidelines.

founded 2 years ago
MODERATORS
MigratingtoLemmy@lemmy.world