Does Linux need antivirus?

Wondering if Linux users can take operating system security for granted and not worry about using anti-virus? Let’s look at the risks and what you can use to protect yourself when you’re running this popular open source OS and alternative to Windows 11.

Linux malware has been gradually increasing over the years, with a 35% growth in Linux malware in 2021 identified by endpoint protection vendor Crowdstrike, largely affecting Internet-of-Things devices.

But, assuming your day-to-day security practices are good and your OS is up-to-date, your Linux desktop doesn’t have a particularly great need of antivirus software. OS security updates promptly address new threats, to the point where the official position of Canonical, maker of Ubuntu Linux is that “Linux viruses are so rare that you don’t really need to worry about them at the moment.”

But that doesn’t mean your Linux PC can’t harbour malware for other operating systems, or that cross-platform threats in languages such as Java and Python aren’t a risk.

What antivirus is available for home desktop Linux?

Linux antivirus isn’t a growth area – a number of anti-malware firms, including Eset and Avast, have or are ceasing the publication of stand-alone Linux anti-malware suites, although enterprise server and end-point protection solutions are still available from both of those firms, as well as the likes of Kaspersky and Bitdefender.

ClamAV

The classic open source antivirus tool, ClamAV is available from most Linux distros’ repositories. It includes no real-time malware detection, which means you’re getting any active defence here, but you have have it carry out scheduled scans of your home directory and on-demand scans of any file or directory you’re suspicious of.

I use it with the ClamTk GUI, configured to auto-update its signatures. Note that heuristic malware detection, which examines files’ code for indications of suspicious behaviour, has to be manually enabled. Third-party virus signature databases are also available for ClamAV, and the software can also be configured to run as a service.

Comodo Antivirus for Linux

Comodo is one of the few notable names in malware defence that caters to desktop Linux users. Comodo Free Antivirus for Linux is less bare-bones than ClamAV, with features including real-time scanning, optional analysis of software in Comodo’s cloud, email scanning and anti-spam modules, as well as scheduled and on-demand scans. Sadly, it’s not well-maintained – for example, the currently available version for Debian-based systems requires an older version of libssl than ships with recent operating system versions, requiring manual patching of the package, which is frankly ridiculous.

Linux antivirus effectiveness

Assessing the effectiveness of antivirus for Linux is tough. No testing lab carries out regular testing of Linux antivirus. And where they do, such as AV-TEST and AV Comparatives’ 2015 group tests. the focus is primarily on defending web servers and other enterprise deployments, which tend to be susceptible to a different range of threats and user behaviours.

Even on the server, Linux security is largely down to regular updates and security patching, system monitoring, and solid hygiene when it comes to service passwords and open ports. While enterprise-grade end-point protection often includes Linux server modules, specialist system administrators often prefer more hands-on security tools.

Nor can you rely on data showing how effective a malware detection engine is when confronted with Windows malware – Linux is very different OS with a very different set of vulnerabilities.

Weakness in numbers

GNU/Linux operating systems famously underpin the web, supercomputing, and embedded systems. But desktop PC users represent a unique security risk, in that they’ll cheerfully visit random, potentially dodgy websites and download and compile whatever software strikes their fancy. They’re also susceptible to social engineering attacks in a uniquely human way.

Desktop Linux users have, in general, spent the better part of 30 years acting as though there are no malware threats for their OS. But as user numbers for a given platform grow, so does its appeal to bad actors who might want to exploit it.

In January 2022, Statistia estimated desktop Linux at 2.09% of the world’s desktop internet users. A back of the envelope calculation puts that number at around 51 million people worldwide. And Valve’s Steam hardware survey indicates that Linux users make up 1.06% of the 120 million active players using its platform – a little under 1.3 million people.

The number of desktop Linux users is about to increase by anything up to 840,000 based on reservations for Valve’s Steam Deck portable gaming PC, which will run SteamOS 3.0, a specialised distribution based on Arch Linux.

Strength in diversity

One of the reasons that Linux is a poor target for malware developers is that everything from filesystem layouts to default modules and software to can vary wildly from distro to distro. Software packages built for Ubuntu very likely won’t work out of the box on Slackware, Red Hat or Arch. Significant differences can even exist between fixed versions of the same distro.

While this can be a thorn in the side of developers making software for Linux and can result in dependency hell if you’re building software from source, it also means that, for bad actors, it’s rarely worth their time bothering with desktop Linux users.

On a OS that requires manual entry of the root password to do almost anything that’ll affect your system in a meaningful way, your main worries are likely to be social engineering attacks, where someone tricks you into doing something risky; exposing your desktop system to the internet through poor network firewall configuration; allowing services such as MySQL to be installed with a default password, and unpatched privilege escalation attacks.

Keep up-to-date

Security is a priority for most Linux distributions both on the development side and when it comes to default behaviours. Most distros will automatically check for updates, and in some cases you can have your auto-install them unattended, although I recommend regular manual installation so you know what’s been updated. There are usually graphical and command-line tools to handle this, although exactly what these are will be vary from distribution to distribution, from apt on Debian-based distros to Arch Linux’s pacman.

The most important thing to do for your Linux operating system’s security is to keep it up-to-date. Long-term support (LTS) versions of Linux will receive security updates for anywhere between five and 10 years, but many desktop users will want to run the latest release of their OS – in these cases, you can have as a little as a month to upgrade to the newest version once the previous one is superseded.

I currently use Pop!_OS on my main work PC, and generally wait a couple of weeks after a new version has been announced to see if any unexpected bugs appear before I run pop-upgrade.

Many distributions, including Arch, Manjaro and OpenSUSE, offer rolling releases, which are constantly updated and thus never need a full version upgrade, rather than fixed releases. It’s an appealing model for those who want to run the latest core packages and Linux kernel, although those with patchy internet or a need for system stability may nonetheless prefer fixed-release versions.