Hi all. First post and just started using Linux hence the confusion. Been a long time MS fan but Vista is a step too far and I refuse to use it after trying to get used to it for months.

Basically it seems a lot of the linux community I’ve found via google seem to be on a really high horse and state its impossible for linux to get a virus so no need for Antivirus software at all if you use Linux - how is this the case though?

From what I see people base this purely on the fact that linux requires you to enter root details to install a virus and if you dont install a package from an unknown source you’re fine. Well… I never had a virus in windows XP using the same principal. I never ran a package from an unknown source and only logged in as a basic user unless I needed admin access! So surely I could state the same thing and say Windows cant get a virus either?!

For a “noob” like me coming over to Linux, I dont know what’s a good file and a bad file so for all I know I could be trying to install what I think is a legit package yet it is malicious code opening a back door. So this is where my questions begin…

1. Can people piggy back malicious code onto legit files like they can in Windows?
2. The whole argument about having to provide root details wont hold up in this case as I may run it without knowing
3. To stop me making mistakes whilst learning linux, what points can people give me to make sure the files I open are legit.
4. Does AV exist for file scanning in linux or does the signature scan like in Windows not act the same in Linux because of the way files work?

From what I can see there are currently very few viruses for linux because it’s not as popular as windows so few have been written - but thats completely different from people on the net claming viruses DONT exist for linux. Surely if linux takes off then more viruses will be made and new users will make mistakes and get infected? If no AV solution exists then Linux wont take off?

Cheers for any info!

Basically it’s not a problem. Not that there are none, but the principle modus operandi of Linux is so different from Windows.

1. Run a system with separate root and home partitions.
2. Never run your system as root.
3. Use only known and trusted sources/repositories.
4. Use a hardware firewall if possible and keep Suse firewall enabled.
5. Use common sense online.

Some of us use a program like ‘rkhunter’ to check for rootkit exploits - This is a more likely problem in lInux that Virus’.

It’s harder to get a virus installed in Linux for various reasons:

1. Linux repositories are hosted by trustworthy parties, either vendors or well-known groups. It takes more effort and a lot of determination to deliberately set up a repository with malware. First you would have to win the trust of the community over time, then you would have to build the malware packages (and in different formats and for different architectures, for wider coverage). At the end you may catch some people unaware but then once exposed, you’re out. And for very little gain. So malefactors tend to go for the easier target, just provide some tempting Windows dodads that contain malware on some random site or through P2P sharing. Once I did get one (spam) email to root on a server claiming that I should install an attached Redhat RPM. On a SUSE machine. I just had a good laugh and consigned it to the trash.

2. Linux apps are careful not to execute attachments. You would have to do some social engineering to convince the user that an attachment should be made executable and then to execute it. By this time the user would have gotten suspicious or lost interest. In Windows it’s as easy as a click, or worse still, via drive-by with a vulnerable web browser.

3. Linux runs on various architectures and has various vintages, and a malware writer would need to cover more bases than Windows, where just targetting i386 will effectively get him all the Windows users (including the W64 ones).

4. Linux users tend to be more savvy and more careful.

I’m sure there are others, but it’s getting late.

Anyway none of these objections are fatal to viruses but each one raises the bar so that the survival rate of a virus is much reduced.

I haven’t put the need root permission objection because these days it’s bad enough if malware can send out spam as you without needing root permission.

So if you take the basic precautions: use only official repositories, keep your software updated, don’t visit dodgy sites (in case of holes in Flash or Acrobat or other proprietary apps where the FLOSS people have no way of checking the safety of the code), you should be fine.

OK thanks all. So on the off chance that I’m not paying attention and stupidly manage to get a keylogger, trojan, etc installed by mistake how can I remove it easily? Are there any good programs out there for removing rootkits or scanning for keyloggers, etc? Thats my main concern for now!

rkhunter has been suggested.

But really, best practice requires that you never get into this situation because a compromised machine cannot be trusted and should be reinstalled with system software and then user data restored.

Generally it is pretty save to run a Linux-maschine, simply because viruses are .exes = Windows-executables. It has been explained why it simply is not worth the time figuring out a Linux-compatible virus.

I never had Win or any other systems than Linuxes, and even though I started as a n00b (Linux-wise and www-wise), I never ever caught anything malicious. Never.

But since there are more ways to attack than using a virus, brain1.0 should always be mounted before starting the system. Since you seem to be aware and trained, chances are pretty good that you’ll be safe.

A little OT, but this thread about running viruses with wine is pretty informative and d@mn funny, give it a read, it might give you a better idea about security-issues under Linux: → What would happen if you ran a windows virus using Wine?

What is a virus? A general definition of a virus is that it’s a piece of code that when executed does something harmful to your computer. This can go from deleting your personal files to messing up your kernel.

The claim that viruses don’t exist for linux is false. There are viruses but not nearly as much as there are for windows. So the odds of you getting one are tiny at best. But if you get one and you let it run, it can surely do some nasty damage. If you execute a suspicious file with root privileges it’s your responsibility.

There are other elements that make linux into a safer environment than other operating systems as well. The fact that it needs a root password for anything sensitive and that your default account will not be the root account is the best example of this (unlike in windows). The practice followed in linux is that it never allows you to work outside of your user space without asking for a password.

Things like malicious code in office and multimedia files also don’t exist in linux. Opening a word file is a risk in MS office.

1. Can people piggy back malicious code onto legit files like they can in Windows?

As long as you stick to your packet manager you’re packages are authenticated and the integrity is checked with a security key (in windows there is no such thing as a packet manager). If it does occur that you need to get your code from somewhere else it’s your call whether you trust it or not. The fact is that most of your linux programs will be installed with your packet manager thus eliminating any danger.

2. The whole argument about having to provide root details wont hold up in this case as I may run it without knowing.

True but as long as you don’t enter a root password something can’t run with root privileges. In a desktop environment you’ll always get a popup window. In a shell you might just forget from time to time that you’re working as root but someone doing fancy root-stuff in a shell should be smart enough to know that.

3. To stop me making mistakes whilst learning linux, what points can people give me to make sure the files I open are legit.

Stick to your packet manager and sources you trust.

4. Does AV exist for file scanning in linux or does the signature scan like in Windows not act the same in Linux because of the way files work?

I don’t know any anti-virus scanner for linux. If there are they will be scarce. It’s just not economical to invest in virus scanners if you hardly have any.

You can never dismiss the possibility that users will execute something they shouldn’t in any operating system but linux diminishes the odds of that greatly.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Agreed… don’t get viruses. There are other options of
virus-detecting software that will work in Linux like ClamAV (Google for
others if needed) but all of those technologies work after it’s possibly
too late. Along with what ken yap wrote already keep in mind that in
windows malware “takes over” because it runs as Administrator and
windows has made it very difficult to run a system without at least
Power User privileges, which are very strong indeed. I’m generalizing
slightly, but to make my point go to your non-technical friend and make
them ONLY a regular ‘User’ in a new windows system that you haven’t
configured for them and see if you make it one day without a phone call
demanding more privileges. You mentioned that you can run safely in
windows by doing the same things, which is just as true there. Running
Linux as ‘root’ is safer than running windows as Administrator, but it’s
still insanely stupid to do on a day-by-day basis. The well-established
and proven concepts of least-privilege apply to any environment where
some kind of “infection” can take place… computers, human bodies,
private organizations… you give permissions when needed, but the
problem is that to do anything in windows you regularly need to be
privileged. When you run Firefox or (worse) IE as Administrator every
bug not only in windows is opening up you to attack, but now every bug
in the software you run that goes out onto the malware-infested Internet
is opening you up. Every plugin in the browsers are the same way.
Every component of the OS that doesn’t listen for incoming connections
but now helps the browser render content is suddenly open for attack.
While these attacks may be possible when running as a regular user the
impact of a successful exploitation is completely different since it
might ruin your user account as a whole but with ‘root’ privileges it
ruins your account, your system, every other account on the box, and if
you are sharing files between boxes it could potentially infect other boxes.

So, does running as non-root protect you from Viruses completely? No…
anybody who says any system (technical or other) is fool-proof is
incompetent, but does it prevent the damage that happens during an
infection? Definitely.

Adding to that the way windows determines it should “execute” an
application is by the file extension, which is crazy. In Linux you need
to set the ‘execute’ bit on a file to have it be executed by the system
(even if the system only executes it as a plain old user). Files may be
double-clickable in the GUI and then loaded by an application, but they
are never just arbitrarily run, and if something looks suspicious you’ll
often be prompted to either open the file, display it, or run it, so you
can tell you are potentially being silly. This is all, still, as a
regular old user. So an attacker needs to either lure you to a site
which exploits weaknesses in your browser and OS, or they need to get
you to run files after making them executable. Both rely on users being
halfway intelligent to successfully carry out, but the biggest weakness
in computer security has always been us mere mortals. When was the last
time you saw a virus-free and completely firewalled computer go and
download an application from the Internet for fun that turned out to be
a virus instead of a screensaver because it was “cute” or “fun” or
“looked interesting”? When was the last time a human did so?

Well I’ve gone off… feel free to ask follow-up questions but in
general Linux was designed to be secure… designed to be multi-user…
designed with more in mind than blindly making a user able to do
anything they wanted to on the slightest whim.

Good luck.

ken yap wrote:
> rkhunter has been suggested.
>
> But really, best practice requires that you never get into this
> situation because a compromised machine cannot be trusted and should be
> reinstalled with system software and then user data restored.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI9gTl3s42bA80+9kRAh4cAJ9jaOZzuv8WBHjm5T45f/dZmIwLiwCfRyj4
4gSBA0Cv4Jm8muikwA1pU9E=
=P8zU
-----END PGP SIGNATURE-----

In a shell you might just forget from time to time that you’re working as root but someone doing fancy root-stuff in a shell should be smart enough to know that.

That actually happened to me all the time when I started using computers, more precisely: working in a root-shell, then doing something else, then coming back to the shell and forgetting it has root-privileges. Putting the following lines in bashrc solved it:

if  "`id -u`" -eq 0 ]; then
  IDLELOGOUT=300
  echo "root will be logged out after 5 minutes without input or job"
  export TMOUT=$IDLELOGOUT
fi

I don’t know any anti-virus scanner for linux.

ClamAV has been mentioned, also there is a Linux-Version of AntiVir (even with GUI!), but that of course only makes sense when a system works as a server for Windows-clients, since they will only scan for known Win-viruses.

Yes, the bit about not working as root unnecessarily is more for one’s own protection than anything else. Who among us has not encountered or had a close shave with the dreaded onosecond, which is the shortest interval of time known to man, that between hitting return on a unintended command and realising the mistake?

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I think the onosecond also has relativistic properties…

Ctrl+Alt+Backspace vs. Ctrl+Alt+Left/Right Arrow
onosecond is small, but not tiny

rm -rf / #forgot/missed the ‘.’ I always put in there

‘onosecond’ has a very small value indeed, inversely proportional to the
time it takes for Ctrl+C to take effect.

Good luck.

ken yap wrote:
> Yes, the bit about not working as root unnecessarily is more for one’s
> own protection than anything else. Who among us has not encountered or
> had a close shave with the dreaded -onosecond-, which is the shortest
> interval of time known to man, that between hitting return on a
> unintended command and realising the mistake?
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI9hE63s42bA80+9kRAhbHAJ9F1xkvOfDPAfs0eADCr5itk5v8EACdGJcf
l6vNHAqKP9FosqaSgesKMvg=
=SokE
-----END PGP SIGNATURE-----

Thanks for all the advise! Most helpful.

Was hoping to give my aunt a laptop with Linux on it but seeing that you can indeed mess up your system if you run stuff you shouldnt then I’ll leave it for now and just run it on my own machine! The number of times they’ve broken they’re XP one by running stupid programs just isnt worth the headache when I dont know how to fix it or even know they have, say, a keylogger installed as you cant scan for one!

I’ll continue learning linux for now and see how it goes and be careful about what I run. Only worry I have is that I may install an application, it seems to work but it may be infected by something and I’ll never know

Will check out the AV systems mentioned as if they can scan for problems now and again taht would be helpful to find out if I’ve managed to pick up an infection

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Well, by all means give your aunt a Linux box. The joy of Linux is that
she’s going to have a hard time destroying it. She’s not going to be
able to find a virus that easily destroys her system, much less make it
executable and run it on accident. The applications she does want
installed she’ll learn how to do but it’s not going to be as easy for
her to be infected. If something runs as her regular user you can
remote in (SSH or something over SSH or whatever) and delete her user,
recreate it, or restore it from backup, and she’ll never even know… no
reboots required. Trust me… all the people I know who require hours
and hours of my time on windows require minutes, at most, on Linux.
They just stop breaking things. I don’t wipe their boxes every six
months because they’re slow or they obviously have viruses. They don’t
run AV software because it’s worth my time to let them have a fast box
and, someday, wipe it if things go wrong. In the meantime I tell them
to backup their data once in a while (hard drive, CD, DVD, whatever) and
enjoy their computer. People don’t need windows to work… there are
much easier ways once they realize the button in the corner doesn’t need
to say ‘Start’ to be usable.

Good luck.

viperuk wrote:
> Thanks for all the advise! Most helpful.
>
> Was hoping to give my aunt a laptop with Linux on it but seeing that
> you can indeed mess up your system if you run stuff you shouldnt then
> I’ll leave it for now and just run it on my own machine! The number of
> times they’ve broken they’re XP one by running stupid programs just isnt
> worth the headache when I dont know how to fix it or even know they
> have, say, a keylogger installed as you cant scan for one!
>
> I’ll continue learning linux for now and see how it goes and be careful
> about what I run. Only worry I have is that I may install an
> application, it seems to work but it may be infected by something and
> I’ll never know
>
> Will check out the AV systems mentioned as if they can scan for
> problems now and again taht would be helpful to find out if I’ve managed
> to pick up an infection
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFI9nvs3s42bA80+9kRAnAZAJ947JygRC3Qii2z5LSg2U2Uz3ZWLACdEsnf
qYc3U/rMYC5m6E6foazJtVw=
=IihC
-----END PGP SIGNATURE-----

viperuk, you got a totally wrong impression!

You see, before your aunt will be able to execute some bad script, she has to a) find it, b) make it executable (and know that it has to be make executable), c) run it.

Futhermore: you see, I have never seen a Linux-compatible file like “HarryPotter123Complete.sh” or “WildHousewifesOnLSD!!!11!!.bin” (not that I think your aunt would want to execute such stuff, kay?). There is no such thing as a Linux-malware-scene, only servers suffer from attacks, for example rootkits and the like → a completely different thing. Attacks could happen by exploiting bad code, and those holes are usually fixed quick via updates. Your aunt herself could mess up her /home (not the entire system) by removing configuration-files or whatever, but that she could do on any system - this includes the idea of you keeping the root-password so she can’t do any administrative stuff (like installing software) - I did that on some machines to let the n00b get used to the system without the ability to mess up everything.

Anti-malware-software won’t be of much help, for programs like AntiVir scan for Windows-viruses, not Linux-viruses (which actually simply do not exist, some have been programmed for testing reasons, but they never spread).

Script kiddies are interested in creating as much chaos as possible, that’s why they don’t care for Linux → too much work (due to rights management etc.), too little potential success.

A Linux can be hardened, though, by taking care of potential risks in the network itself - rkhunter or fail2ban are two examples. I have them both running, which is totally ridiculous, since those are normally used on servers. fail2ban for example simply bans a certain IP when more than a certain amount of login-attempts (usually five) have occured → byebye wordbook-attacks; this can be configured for ssh-connections, the usual P2P-ports and other services. Still, I wouldn’t consider a Linux without fail2ban insecure…

I don’t want to soothe your worries, but those are facts. To be aware is good, but paranoia is never a good mentor.

I was reading through the post and wondering what are the typical places that you would download any needed programs. I am new and just trying to ensure that I will get anything from a legit place. Thanks!

I would like to add my 2 cents about viruses. Basically, in my experience a virus infection is a direct result of the actions of the user. I’ve had to fix plenty of windows computers with said problems, and in almost all cases the viruses in question were deliberately installed by the user(s).
I actually had one person who was having some trouble with an application and needed my help. His Windows computer had run with only the basic built-in firewall, and no anti-virus or anti-spam for over three months, and yet his computer was not compromised. Why? Because he is smart on the internet. He doesn’t install things he doesn’t need or doesn’t know what they do, and doesn’t visit suspicious web pages.
Heck, one of the most tech savvy people I know is not considered so because she can compile in her head, it’s because she’s aware of her ignorance. Being mindful about your actions is probably the important factor in preventing a virus infection.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Once you decide which AV solution you like probably just go to their
website. For example Google found this one for me quickly:
http://www.clamav.net/ Note that I have never used AV software in Linux
so I don’t really think it’s needed largely except for cases like the
one mentioned in this older article: http://www.linux.com/articles/22899

Good luck.

2quick wrote:
> I was reading through the post and wondering what are the typical places
> that you would download any needed programs. I am new and just trying
> to ensure that I will get anything from a legit place. Thanks!
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJSbrp3s42bA80+9kRAuEMAJ9CW6xmPIlGHg/okMTOMuj1IfQvnwCaA5q0
uLXZ+5hn+lN6hMGpBk1xQBg=
=uPI+
-----END PGP SIGNATURE-----

I was actually meaning for any programs in general, not just AV stuff.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Well that’s an interesting question. If you search for a product and it
comes up with its vendor you can go to the vendor webpage and probably
be fairly safe unless the vendor is disreputable as well. I guess this
will just take research as it does with any program for any computer.
Don’t install if you don’t trust it, and you shouldn’t trust things you
don’t know fairly well. For example just because something sounds good
and people use it doesn’t mean it is good (this applied to a lot of
things in life of course). Bonzai Buddy, for example. Used by lots,
but oh yeah… malware. Oops. Anyway, do some homework before you
give something ‘root’ or Administrator or other kernel-level privileges
to any system. Most applications aren’t malicious and unknown for long
so searching around should find decent information.

For most functions there are probably applications within the
repositories that are easily installed and fairly safe. For RPMs or
source from other sources, know the source. To actually know for sure
you are hitting the webpage you think you are hitting (in case you’re
REALLY paranoid) then some more work needs to be done… DNS/ARP
poisoning can do a lot of fun things without being overly obvious to the
end user, but most of the time that isn’t the case.

Good luck.

2quick wrote:
> I was actually meaning for any programs in general, not just AV stuff.
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJSb/u3s42bA80+9kRAldbAJwO/s9D34zKbQUHTdCP5o5eNNyvhgCeI6rx
PUMEAlkdLBGraTfCTH5RUmg=
=VlqW
-----END PGP SIGNATURE-----

2quick wrote:
> I was reading through the post and wondering what are the typical places
> that you would download any needed programs. I am new and just trying
> to ensure that I will get anything from a legit place. Thanks!

These are a pretty safe bet:

http://en.opensuse.org/Package_Repositories
http://en.opensuse.org/YaST_package_repository

…Kevin

Kevin Miller
http://www.alaska.net/~atftb
Juneau, Alaska
Registered Linux User No: 307357, http://counter.li.org