Does Ubuntu need antivirus?
July 3rd, 2008
This is a very common question that comes up on the Ubuntu Forums from new users migrating from Windows. The answer, of course, is “No, Ubuntu doesn’t need antivirus.” Linux (and sometimes Mac) users often get accused of being smug or complacent for saying they don’t need antivirus, so I think I have to clarify that answer for the skeptics.
What kind of virus are you looking for protection from?
I’m not an expert on all the terminology out there for malware, but there are basically two kinds of malware, when it comes to security—malware that self-replicates and infects through security holes and malware that tricks the user into installing it (what’s called social engineering).
What makes the first kind of malware such a problem in Windows (at least in XP—I’ve never tried Vista) is the default-to-administrator-account setup, which is reinforced by some programs designed for Windows requiring the user be administrator, documentation for Windows assuming you are administrator (very seldom have I seen instructions for installing a setup.exe ask you to right-click, select Run as… and authenticate with an administrator account, with the assumption that you must be using a limited user account regularly), and the inconvenience of not being an administrator all the time (Run as… is not perfect and is often difficult to use).
The administrator account in Windows has access to almost everything on the system, so if it gets compromised, the entire system is compromised. And if you’ve ever had to clean malware off a Windows computer, you know how difficult it is to get all the junk out of the registry and all the reappearing programs and .dll files out of system directories.
A limited user account, on the other hand, has access only to its own account and very few system directories. I don’t know of any Windows malware that targets limited user accounts, but if the limited user account got compromised, cleaning up the malware would be a lot easier, as you could create another account, and one by one quarantine and examine user files you copy over from the compromised account to the newly created account and then delete the compromised account.
In Ubuntu (and in most Linux distributions and Mac OS X), the default account operates mainly as a limited user account, with write access to mainly its own user directory, and then the user in the admin group (in the case of Ubuntu and Mac OS X) is able to “sudo” and temporarily escalate privileges for particular tasks after password authentication. On non-Ubuntu Linux distributions, the authentication is a temporary login to the root (total access) account.
While a lot of people make the case that separating user privilege from system privilege alone guards against malware infestation (and they probably have a point), I’d at least argue that that separation makes cleanup after an infection a lot easier. The only trustworthy cleanup I know of a Windows-compromised computer is a complete reinstallation of the operating system.
But then there is social engineering. This could be anything from a tainted email attachment a friend innocently sends you and you open to a website asking you to download a “codec” (disguised malware) to play a video. The point is that the flaw isn’t the operating system itself but you, the user. If you’re tricked into installing a piece of malware, it won’t matter what kind of security you have set up. Don’t listen to Linux users who will tell you that you have to first make a file executable and then run it. With all the “user-friendly” graphical tools now available, all someone has to do is create a malicious “cool” .deb file for Ubuntu and trick Ubuntu users into downloading it, double-clicking it, and authenticating with their password. That .deb can run any command then with root privileges and compromise your entire system. It could install a keylogger or a rootkit.
Another time you shouldn’t listen to Linux users is when they try to say a lack of malware on Linux has nothing to do with marketshare, since Linux dominates the server scene, and Linux servers are not more compromised by malware than Windows servers. While what they’re saying is true, it’s also misleading. Most corporate servers are run by trained professionals or at least knowledgeable amateurs, and they’re less likely than the general populace to fall for a phishing scam or other kind of social engineering attack. This is not, true, however, for home users. Nevertheless, the point is moot. If security by minority has any validity, I think you can rest pretty easy that within the next three years, Ubuntu won’t reach over 50% of home user marketshare, no matter how successful it is or how many “years of the Linux desktop” pass by.
But don’t Linux viruses exist?
Yes, but they are either proof-of-concept ones created for research purposes or ones that took advantage of flaws that have since been patched. There aren’t any Linux viruses that are actual threats to Linux systems. If malware relies on social engineering, though, and you’re tricked into installing it, then your system is screwed either way—running an antivirus program won’t help you.
Should you run antivirus just in case?
Well, obviously I can’t stop you. You can also wear a gas mask around all the time when walking through perfectly healthy air. I won’t stop you from doing that either. But in either case, I’m not going to pretend what you’re doing makes sense.
Most antivirus applications in Linux scan for Windows viruses, and if a Linux virus came into existence and actually was a threat, it wouldn’t automatically be in your antivirus application’s definitions anyway, since the virus is new. So you wouldn’t be protected. A vaccine against polio isn’t going to protect you from getting AIDS. Neither is an outdated set of virus definitions going to protect you against a new threat.
Shouldn’t we protect Windows users?
Some have made the case that it is our responsibility to protect our Windows-using friends and relatives by scanning files before they’re sent to Windows users. While that case could be made, I don’t think Linux home users make up a large enough demographic to protect Windows users in such a way. It’s about as effective as building a wall around a city for protection but having the wall go less than 1/10 way around the city. Great. The attackers will just go to a different entrance to attack the city. (See the first link in the Further Reading section for more details.)
This brings up a good point, though. If you’re using Ubuntu as a regular desktop or laptop computer, you don’t need to run antivirus, but if you’re using Ubuntu as a mail server, you probably should install and use antivirus. In fact, many mail servers are Linux-based, so you would be part of a very large wall—an actual first line of defense.
What good is antivirus?
I do have to say, though, I think antivirus is mainly a resource hog and almost a placebo. It’s something that makes people think they’re secure without actually making them secure. In fact, every time I’ve seen a Windows-using family member or friend get infected with malware, that person has always been running antivirus, antispyware, etc. You can’t rely on a program to protect you. You have to learn good security practices yourself—don’t run as administrator regularly, use strong passwords, learn to recognize social engineering and phishing scams, do not visit sketchy websites, etc. Relying on anti* programs for protection is like thinking the vaccinations you get from the doctor protect you against all disease in life. You can’t then just have unprotected promiscuous sex, never wash your hands, eat anything you find in the forest, and have extensive physical contact with sick people, and then expect to stay healthy.
Antiviruses operate in two ways, and ultimately neither way ends up being effective for home use. One way is maintaining a list of known viruses. Well, when a new virus shows up, it won’t be in that list before it’s done some serious damage. The other way is trying to identify malware based on the content of the file. This leads to a lot of false positives and essentially defeats the point of antivirus, since it ends up being the user deciding what files are trustworthy or not… or just getting used to overriding the false positive identification of the antivirus application to the point that it’s like whitelisting everything. I would actually argue that you don’t need antivirus in Windows either. I know that sounds brash, but I believe it’s true. If you want Windows to be secure, use a limited user account, show file extensions for all files, use Thunderbird instead of Outlook, learn how to identify and avoid social engineering, and use strong passwords.
Conclusion
Frankly, I’ve never seen a real epidemic threat to Ubuntu users, but if one appeared, I promise you that having antivirus installed would not protect you from it. Saying you don’t need antivirus in Ubuntu is not complacency—it’s common sense. Learn about real security good practices and stop clinging to the antivirus placebo.
Further Reading
A succinct sum-up of this rather long-winded blog post you’re reading
A short write-up on Ubuntu security
A more in-depth write-up on Ubuntu security
July 4th, 2008 at 3:09 am
I think there is one type of antivirus effective for windows: the “Scan this file and that’s it” kind. I use AVG, and dual boot Vista/Ubuntu, and I’ve gotta say, I never run full-system scans. By the time one of those picks up something, it’s probably too late. I do, however, run an individual file scan on anything I download (other than like a .txt to do list or something) just in case. That, I think, is good as an extra line of protection, and a first line of defense against even social engineering attacks. It won’t stop everything, but for the ones that would have gotten through on my stupidity, it at least provides some cover.
July 6th, 2008 at 1:14 am
We are running Ubuntu 8.04 and have Clam AV installed. It is easy to install, as it is in the “add/remove” repositories as “Virus Scanner”.
The designer of the Linux GUI for Clam AV, known as Clam Tk, says this in his FAQs about whether you need it or not http://clamtk.sourceforge.net/faq.html :
Q: “I thought Linux doesn’t NEED antivirus protection!”
A: “You probably do not need it. But if you feel more comfortable using it, great.”
We avoid all the viruses distributed out there on the net by doing just as you have described here in your article. Actually we use webmail instead of Thunderbird, which gives even more security as everything gets scanned before we even read it plus all downloads are scanned too.
However we also update Clam AV regularly and run it from the command line to do a whole system scan now and then. It doesn’t hurt to do this and it certainly doesn’t lull us into a false sense of security. Some times we use Clam Tk to scan a suspicious single file, just to see if it is something we don’t want to forward onto a Windows user. Anything that we might have come up positive we would upload to Jotti’s malware scanner at http://virusscan.jotti.org/ for 20 extra “second opinions”.
In running Clam AV on our Ubuntu systems we have never found any viruses, but have had several “false alarm files”. These are benign, often system files, that Clam AV has mistaken for viruses. We always submit these to the Clam open source dev team through http://cgi.clamav.net/sendvirus.cgi and thus can feel that we are contributing in a small way to helping make the only open source free software anti-virus project better and more competitive with its commercial competitors. It takes little time and costs us nothing to do the scans and submit the odd false alarm report.
July 11th, 2008 at 3:19 pm
I agree 99.99% with the writer of this article. Although he states that your shouldn’t run from the admin account all of the time, i do anyway because i like having access to windows files. But social engineering is the only reason un-computer savy people get viruses, because they do not know what they are doing. But i have seen people get viruses that have infected their pc, and they did have full running VP. And the only way, like the writer stated, to safetly get it off was to reload the OS. Oh yea, Ubuntu rocks.
September 6th, 2008 at 9:50 pm
I don’t believe that the author of the article is smug – just a little naive.
He states that installing malware would be difficult because of the way Linux is setup into two different types of accounts. The administrator has the right to install programs and modify settings, the user just uses the system and the software. What makes this statement naïve is the idea that this “wall” will not be surmounted. At this time, Linux has according to Wikipedia a market share of just 2% in the overall Desktop OS Segment. These numbers alone make Linux uninteresting to the criminal hacker, who has a bigger target in Window’s 90%. But what if the goal of the Linux community to surpass Windows is reached? Than the interest would be peaked because now hackers have a bigger target. Having access to the entire source code of Linux – Kernel and Applications – makes it even easier to infiltrate a system considered save.
October 13th, 2008 at 1:54 am
Well,
I think the writer of the article has busted all doubts regarding the very famous topic “Virus Protection for Linux”.
As I often come across people arguing with me on the topic, I can simply redirect them on this article.
I am absolutely with the writer and believe that nothing can actually stop viruses entering Windows Systems. Whereas Linux, because of its internal architecture is much much more secure than Windows.
Also, there is no cure of “Social Engineering”.
Being secure is an art, not science.