Linux refugees from other platforms are used to the need for continued vigilance against viruses and other malware. Robust, always-on antivirus software is a simple, albeit annoying, necessity of life for Windows users, and is highly recommended for Mac users.
With Linux, however, the usual advice (including, for example, official Ubuntu advice) is that no antivirus software is needed. And, despite the (very rare) existence of malware targeting Linux systems, antivirus software can endanger your Linux device. It is an opinion that we endorse. This can make the fact that Linux antivirus programs exist quite confusing. So let’s go a little deeper.
The caveat here is that we are talking about home systems. Securing Linux servers is beyond the scope of this article, but the main purpose of running antivirus software on Linux servers is to prevent shared files on servers from infecting Windows and Mac machines, rather than to protect the Linux servers themselves.
Why don’t I need a Linux antivirus program?
1. Popularity (or lack of popularity)
Linux has a desktop market share of around 1.8%. It’s simply not worth the trouble for a techie to develop malware that targets its users. Windows (88% market share) is the most obvious fruit, although Mac malware (9.3% market share), although rare, is becoming more and more common.
2. Most Linux software is installed via the “app store” of a distribution
And the chances of getting malware from software cataloged by your app store are practically zero.
3. Linux is secure by design
It is very rare to log into Linux as a root user, which means that malware cannot run without your express permission (i.e. entering a password ).
On top of that, in most distributions, the open source Linux kernel is usually protected by a mandatory access control system (MAC) such as AppArmor or SELinux, which limits what programs can do.
4. Antivirus software can be dangerous!
Antivirus programs can being hacked, a problem compounded by the fact that by their very nature, they require many high-level permissions to do what they do.
This is also true on other platforms, but the risk of malware is even greater on other operating systems as the need for antivirus software easily outweighs such concerns. When the risk of malware is almost nonexistent with Linux, however, the anti-malware software itself should be viewed with suspicion.
Is there Linux malware?
Yes. But the bottom line is that it is so rare that the remedy is arguably more dangerous than the disease. And no root kit that affects desktop Linux systems has ever been found in the wild.
Is there Linux anti-malware?
Given this situation, and given that almost all reputable sources recommend against the need to use anti-malware products, it is surprising that Linux antivirus products exist (although several highly publicized and still often recommended options are quietly dead in recent years).
The strongest argument for using anti-malware programs on Linux is to protect Windows and Mac users from malicious files that you might unintentionally transmit.
This is the main reason why the use of antivirus applications is a higher priority on Linux servers which store a large number of files downloaded by users of other platforms.
If, despite all of this, you are concerned that a virus might infect your Linux system, you have options.
What Linux antivirus exists?
The first port of call for most Linux users who decide that they really need an antivirus program in their life is the free, open source, and command line only ClamAV.
There are no modern, up-to-date tests that verify the effectiveness of ClamAV
in the 2008 AV-Test, ClamAV first proved to be largely ineffective with many false positives. In 2011, Shadowserver discovered that ClamAV was able to detect 76.60% of malware in tests on 25 million samples, which placed it 12 out of 19 of its competitors. Later in the same year, in a six-month test, ClamAV detected 75.45% of the samples during the course, placing it fifth behind AhnLab, Avira, BitDefender and Avast. Unfortunately, most of this information is out of date and we can’t find any modern tests on the effectiveness of ClamAV, so take this data with a pinch of salt.
ClamAV can be downloaded using the standard package manager of your distribution (for example
sudo apt-get clamav
on most Debian distributions), or can be downloaded as a tarball from the ClamAV website for those who prefer to compile their programs from source.
You will probably need to read the documentation to use ClamAV correctly, but it does offer real-time system protection, as well as on-demand and scheduled scans.
ClamTK is a graphic front-end for ClamAV. It is available in most distribution application stores, or you can download it directly from the ClamTK GitLab pab page. The Fedora, CentOS 7 and CentOS 8 .rpm packages are available, as are the Debian / Ubuntu .deb and tarball packages.
The standard ClamTK package includes ClamAV, but if you have already installed ClamAV, you can install the ClamTK GUI over it using the following command:
sudo apt install clamtk
Sophos Antivirus for Linux
Sophos is a cybersecurity company that develops commercial antivirus products for Windows, macOS and Android. In its 2019 analysis of 250 of the best Android antivirus apps and services, AV-Comparatives found that Sophos detected 100% of its test malware samples.
Sophos Antivirus for Linux is much simpler software that, once installed, is quietly in the background, monitoring your files and only showing up when it detects a problem.
It has no user-selectable options or features, although you can modify a configuration file to specify the folders that the software scans. The version supported by the community is a closed but free source, or you can opt for a paid version officially supported (we are not sure of the price for that).
Sophos for Linux is downloaded as a tar archive which can be installed on any Linux distribution using an install.sh file included.
ESET NOD32 Antivirus for Linux Desktop
ESET is known for its comprehensive antivirus products sold in the market for Windows and macOS. In its 2019 analysis, AV-Comparatives found that ESET software had detected 100% of its test malware samples, a finding confirmed by AV-TEST’s 2018 report on ESET Cyber Security Pro for Mac, which also had a 100% detection rate.
ESET NOD32 Antivirus for Linux is a lot simpler than its Windows and macOS cousins, but it does provide a full graphical interface with real-time antivirus protection and smart or custom scans on demand or scheduled.
ESET NOD32 Antivirus for Linux costs $ 39.99 per year per device and is transferable between licenses between devices and platforms (Windows, macOS and Linux). The package can be downloaded for most Linux distributions (32-bit or 64-bit) as a .linux file which can be made executable.
Comodo Antivirus for Linux
It is also a closed, but free, source for an antivirus product for personal use from the large antivirus supplier Comodo. It has a graphical interface and can perform system monitoring and analysis on demand.
We haven’t been able to get it to work in Ubuntu or Mint, so we can’t comment further on what it looks like in use. Others may be luckier. A little worrying, however, is that AV-Comparatives found that Comodo software only detected 77.6% of its test viruses, placing it 10th out of 250 anti-virus products tested.
Comodo Antivirus for Linux is available as a .rpm or .deb package for the most popular distributions.
do not forget
While, for completeness, we have included a summary of the main antivirus options for Linux; we don’t think they are necessary (and it may even be counterproductive to run on your system).