Just Out of interest -- Anti Virus!

Just out of interest, how do people feel of the dreaded speech of “Anti Virus” on Fedora? Let alone Linux?

Out of precaution, I say yes it needs protection (as Comodo would state) however, other then these guys, it’s actually quite hard to find an anti-virus for Linux.

What do people think? Should I persist in finding one for my system? (grated I have the Wine Windows umm, “system”, installed.


1 Like

Fedora already ships with one and it’s called SELinux. Most 3rd party anti-viruses either are for checking for Windows viruses (ClamAV) or are a nasty rootkit that likely does more harm than good. I strongly recommend that you keep SELinux enforcing and firewalld enabled and avoid 3rd party root kits.


Clamav and Comodo antivirus for linux are of some utility.
While it is true that the great majority of viruses target windows, it has over time, become more threatening in the linux world.

I agree with Scott that SELinux is a very important part, but adding layers can help protect your system.

1 Like

Waking up this old topic because I am also thinking of this. Coming from the windows world and always being a bit paranoid with digital security, the mental need for an anti virus being active in the system is high. I have been fine with linux not needing anti virus for the past decade, as there are less threats out there and the uptime of my linux systems has been really low.

Now with linux as a daily driver it gets much more exposure time to potential contamination and with news about a rise in malware targeting linux my mental need for an antivirus is screaming.

I tried setting up clamav on-access-scanning, but didn’t get that to work. It’s just out of my skill level at this point. I do have SeLinux and firewalld active and enforcing and some sort of firewall in my router, but same thing there, I just lack the understanding at the moment to configure and check if they are working correctly, or what to do if they dont.

I was considering of buying Bitdefender Small business security or Dr.Web security space for linux as their price is suitable for a single pc install and they look simple enough to use.

Is this idea absolutely bonkers, would it cause more harm than benefits?

I mostly browse the internet, chat in discord, and play games with wine and proton.

I come from an SGI IRIX64, NeXt, linux, and macOS shop inside a large enterprise where Windows was the “standard OS”. My boss was once at a high level meeting with military brass where the final report was shared via a USB Key. When my boss plugged the key into is new, first edition, macbook air, malware hiding as “copy.exe” on the key was found by clamAV. At the time, Apple provided clamAV with custom rules.

Users often forwarded email to their workstations rather than risk opening attachments in their Windows PC’s. ClamAV was used to detect Windows viruses in email attachments (which is an argument in favor of mail systems that keep each message in a separate file – clamAV would find a virus in a file with 100’s of messages, so it was usually necessary to split up large message files.

One drawback to ClamAV was that updates to rules lagged behind new viruses by several weeks. Users learned to delay opening emails from unknown sources for a week or two to give time for the rules to catch up.

That is bonkers as you ask.
Any proprietary tool that costs is just that – proprietary and you are at the mercy of the developer as to how it works, updates, etc.

There are many tools available for free for linux, with clamav and comodo antivirus among them.
With any tool that is FOSS you are able to actually look at and modify the code if you wish and feel you may be able to improve performance.

As always in all operating systems, the first line of defense is a user who is security conscious, does not click on random suspicious links, does not allow emails to lead them astray, etc.
Downloading from known reliable sites only and in general being smart are the best front line protection.

I have not used an AV on my linux pc for years and so far have had no issues. Phishing emails and texts are becoming harder to detect at first look but still can be easily bypassed with no problems.

It is, of course up to you what you select as meeting your needs. Evaluate the risks and then decide.

Emails and web sites seem the first and main concern to me.

I used to be required to run anti-virus on linux at work where clamav was configured to scan local storage periodically. Signature based tests of file contents is pretty much a losing proposition though. There is work to improve the situation.
Decting and Grouping Malware Using Section Hashes

A bigger problem in my view is the closed source UEFI most computer makers have chosen to embrace.
Securing UEFI: An Underpinning Technology for Computing
Is there anti-virus for UEFI? LOL

The expansion of SELinux via the possible use of confined users has more potential of being helpful as far as I can tell.
Confined Users (SIG)

There is so much exciting work in the area of trusted computing and zero trust environments and I am eager to do more to have more security and privacy.
Zero Trust in Zero Trust?


Another tool that might be of use on a system that is stable – such as one of the LTS distros that does not do updates daily or weekly – might be an IDS (intrusion detection system)
In the past I used tripwire, and there are others available. Once configured it saves a database with the hash of all files in the OS and when run it compares the actual file to the stored hash value. If there is a difference it means the file has changed. That may be file inode, data in the file, or other. This means if anything about the system has changed the user gets an alert.

Not really useful with fedora and the frequent updates but very good as one tool for monitoring potential changes that were not done deliberately by the admin.

As already said, SELinux and Firewall is an absolute MUST.
A normal user should never ever EVER disable either.

On Windows you learned that you need a layered defense. The OS has a ‘Windows Defender’, which is known to have doubtful reputation, and on top of that you install one or more anti-virus software.

The main difference is that on Windows, when an attacker gets to an user account, he can effectively destroy the whole computer. That because the Windows users have much more power - they can for example install new software to the machine. Which would be like using just a root account for everything on Linux. On Linux, you shouldn’t be by default able to mess up more, that just your user account. That’s why you need an additional software, which tries to watch your every step and move, to check whether or not you are installing or executing a malicious code.

To be “user-friendly”, many people breach the basic Linux security standards by adding more power to the basic user account. Most common example would be ‘sudo’ powers, which opens up entirely new attack surface.
So in practice, the usual Linux setup is way less safe than the out-of-the-box setup, as people are used to trade easy-to-use for security.

However, you can also go the other way, but strengthening you Linux setup. There are options to make Firewall, SELinux or the whole system (e.g. running the whole system in FIPS mode) much more strict and secure.

It is good to know that the Firewall and SELinux rules are created and managed by the package maintainers. And we are still learning, enhancing them. There, for sure, will be a lot of space in the current SELinux rule set, through which an attacker slip. But even then the SELinux is a priceless tool.

In conclusion, I’d like to say today is the age of easy virtualization and isolation. You can effortlessly isolate software you don’t trust on so many levels - containers, Flatpaks, VMs, Fedora Silverblue … I only now few, but there is a ton of ways and tools nowadays. I heavily rely on Flatpaks to run an untrusted code. You can easily run whole web browsers isolated form the system, allowing for significantly lesser attack surface.

Again, there is trade-off between isolation level and security. So while virtual machines are slow, they have a full isolation. The containers and flatpaks usually share at least the running system’s Kernel. And there is for sure finer stepping in how much isolated the code will be.

Tips and tricks:
Under attack via network? Try firewall-cmd --panic-on
Want to protect your data when computer is shut off ? Use LUKS for full disk encryption.
Have multiple operating systems? Use LUKS to encrypt every OS’s partition separately to avoid the running OS to do nasty stuff to the not running OS’s files.

The Linux have much better base level of security than Windows.
The native ways of strengthening your security on Linux are not anti-viruses, but other tools (not breaching security by yourself for the sake of easy-to-use, running SELinux and Firewall in strict modes; running the system in FIPS, isolation of untrusted code).

1 Like

This sound really nice! Have to check it out some time.

Is “turn on and forget” a good enough way to handle selinux and firewalld, or is there something in particular one should pay attention to?

@monttukani, becoming educated on what the choices for security and privacy provide is not easy. The defaults in the fedora ecosystem has the benefit of having lots of successful use and thus, from my vantage point, a good amount of validity.

When I first started running systems with selinux enforcing, there were a number of occurrences where some service or application was blocked from working correctly due to selinux policy. In those early times, running setroubleshoot and applying the suggested policy changes got the problem to go away but the impact on security may have incurred undesirable consequences. With the confined user SIG the recommendation is to file a bug report rather than apply a quick fix (cringingly, disabling selinux is a common “quick fix” for many).

I enjoy learning more about firewalls, selinux, seccomp, cgroups, namespaces and any other facility that can be employed to increase security and privacy. I highly recommend trying to use your system with higher, more restrictive security configured and then find resolutions to problems rather than reverting to the less secure configuration.

When I really started to think about daily driving linux, many comments on the internet suggested that wayland and selinux are both things that don’t act nice with steam… So far no problems from either of those.

Back in the early 2000’s, at least in my circles, Zone alarm was a popular free firewall. I still miss the clarity it gave as it would ask program permissions and if I didn’t know what the program was nor wasn’t expecting anything to connect, I would deny and do some research… But back then there was not many programs requesting on-line access.

As long as you pay attention to what you download and click on your chances of being hacked or getting a virus on a linux system are very slim.As has already been posted Fedora has a firewall and selinux which work very well.When I used windows many years ago I remember zone alarm from the 1990’s.

Pushing this thread up again:

Antiviruses follow a flawed approach that can never create a system with a reasonable security/efford ratio. They use something called badness enumeration, which can be explained like this:

The system runs everything and allows everything, except A, B and C. Those processes are malware and are not permitted.

Now what happens if someone develops malware D? It will only end up in a malware list if it was already used, with some delay and incomplete. I dont think antivirus companies share their lists, which is very bad and increases this efford.

So you will never have a secure system and always need to follow every single piece of malware, and patch vulnerabilities.

SELinux and AppArmor, as well as Flatpak and others do the opposite, they only permit certain actions. This may break software, but you adapt the rules to what you know the software needs to do, and unless a release publicly announces a new functionality this should not change, so you are set.

Still, SELinux is disabled for the user and the desktop, which means everything in your home is unprotected, which makes SELinux on Desktops basically useless. Any tool can modify your .bashrc and catch your sudo password, or see all your personal files which you dont store in a system location.

Currently Flatpak is the best solution to avoid issues like these, this example is a cool way to make flatpaks work with dedicated filesystem permissions like music, documents, downloads etc.

SELinux confined users on the other hand also solve the same problem and work for way more programs than Flatpak does, but afaik they are not well compatible with Flatpak and they currently break Desktops and more.

Still I think using ClamAV to scan files you download, like st**id Appimages or random binaries, is really important. As proprietary software and bad packaging formats get even more established on Linux (Tuta, Warp, Balena Etcher and whatnot have Appimages) this is more and more needed.

There is a dolphin extension to scan files with clamAV, I havent tested it though. Running ClamAV permanently in the background is a useless performance hog.