Virus v. Trojan: not just about semantics

Whenever a new trojan appears for Linux, Mac OS X, or (now) Android, inevitably you get a crowd of ignorant panic-mongers up in arms saying “See? [fill in the blank] gets viruses, too! Ah ha! Better install that antivirus now.” Now, apart from the fact that so-called “antivirus” software is for all practical purposes useless (a placebo at best), viruses and trojans are conceptually very different types of malware.

And, no, this is not just a matter of some geeky semantics.

The mass hysteria out there right now about Android malware reminds me of HIV/AIDS “information” back in the early or mid 80s. People were genuinely afraid you could catch AIDS from hugging someone or drinking from the same water fountain as someone who had AIDS. There wasn’t a lot of reliable and consistent information about how people became HIV positive.

Same deal now. If you read any mainstream press coverage of Android malware, you’ll see the focus is really on quantity (Android Malware Surges Nearly Five-Fold Since July or Android sees a 472% increase in malware since July) of malware instead of actual risk of infection. In typical pop journalism fashion, a lot of “news” articles are taking the “here’s one extreme, and here’s another extreme, so you decide” approach instead of actually informing consumers of the facts of how they can protect themselves from malware.

For example, Security Experts Concerned About Google’s Attitude Toward Android Malware makes it sound as if there is Chris DiBona saying Android malware isn’t a problem and then there are the “antivirus” vendors saying it is a problem. Same deal in Android Security: Threat Level None?

All these articles leave the consumer with is a sense of confusion, and no real practical steps to protect oneself. The former, for example, says:

Most malware researchers agree that the openness of the Android platform, which allows installing non-vetted apps, and more importantly the openness of the Android market, which lacks a strict application review process, contribute to its malware problem.

The latter at least hints that users could be responsible for malware proliferation:

Now that we have a few different views on this topic, who do you think is right? Well, there’s some truth to what the security vendors are telling us. Smartphones—and apparently Android devices in particular—can be infected with malware through careless use.

Careless use. Who is doing the careless using? Phone owners. Phone users.

That is the big difference between a virus and a trojan. The trojan you have to give permission to. You have to invite the trojan in. You know the famous story about the Trojan Horse? Yeah, that attack wouldn’t have worked if Troy had said “Yeah, fancy wooden horse? We’re not letting that into our city.” Same deal with malware. If you don’t install malicious apps pretending to be legitimate, you won’t magically get infected with malware. This is true for Android, Mac OS X, and Linux. I have never heard of any malware proliferating on any of those platforms that was not a trojan.

So if you want to protect yourself, don’t install “antivirus.” Install some common sense instead. Here is a great, step-by-step guide on how to do that: How to be safe, find trusted apps, & avoid viruses – A guide for those new to Android

You’re welcome.

The 6 Best Ways to Secure Windows

Step 1. Install Windows updates automatically
Step 2. Make your primary account a limited user account
Step 3. Use Firefox with the NoScript extension
Step 4. Read up on social engineering and how to avoid being the victim of it
Step 5. Do not pirate software, music, or movies
Step 6. Avoid all “antivirus” or “security suite” software


Out of the top three consumer-oriented software platforms (Windows, Mac OS X, various Linux distributions), Windows is my least favorite operating system, but I’m no Windows hater. A lot of times I hear Mac and Linux users saying they switched because they were tired of viruses and malware in Windows.

While it’s true that Mac OS X and most Linux distros make it easy to keep your operating system secure with their default settings, you can make Windows just as secure, and that’s what this six-step guide is for.

If you follow these instructions carefully, you should pretty much never get malware (spyware, adware, viruses, trojans, rogue viruses, worms) in Windows.

The screenshots use Windows 7, but the same principles apply to Windows Vista and Windows XP as well. The steps may just be slightly different (especially for Windows XP). If you’re still using Windows 98, pay for an upgrade to Windows 7; or if you’re too cheap for that, just switch to Linux. There’s almost nothing Windows 98 can do that Linux can’t, and Windows 98 no longer receives security updates (it also has no limited user accounts).

You can click on the screenshot thumbnails if you want to see larger versions.

Step 1. Install Windows updates automatically

In early 2009, there was a lot of paranoia about the Conficker worm, which was supposedly going to do scary things and which had already infected 10 million computers. Which users had to worry about Conficker? The Windows users who did not install Windows updates. A full month before that iteration of Conficker became active, Microsoft had already released a patch for the flaw Conficker exploited.

Windows Updates can be just annoying prompts to install a new version of “Windows Genuine Advantage.” More often than not, though, they are actual security updates that patch flaws and security holes in the Windows operating system. It is a good idea to set these updates to install regularly.

Go to the Start Menu > Control Panel > System and Security

Then under Windows Update, select Turn automatic updating on or off

Make sure updates are set to install automatically. Then click OK.

Step 2. Make your primary account a limited user account

Have you ever had your Windows installation infected so thoroughly (registry, dlls, startup programs, other system files) that it was apparent it would take less time to reinstall Windows than it would to try to clean out all the malware that destroyed Windows? Are you kicking yourself because the infection came through one or two clicks of the mouse?

Well, that’s because Windows, by default, makes the primary user a full system administrator. In newer versions (Windows Vista and Windows 7), there is something called User Account Control. It’s that annoying “Are you sure? Are you sure?” prompt you get that you end up conditioning yourself to always click “Yes” to.

By using primarily a limited user account, you can feel free to click on what you want and not worry about infecting system files. When you want to finally install software, you can do so by temporarily authenticating as the administrator account.

First, we’re going to create a new administrator account.

Under System and Security in the Control Panel, select User Accounts and Family Safety and then Add or remove user accounts

This is that annoying User Account Control prompt I was talking about before. Click Yes.

Click Create a new account and then make sure the new account is going to be an Administrator account and click Create Account.

With the soon-to-be-regular account called Susan, I’m going to be naming the new administrator account SuperSusan so I know it’s a special account I shouldn’t be using on a regular basis.

And, by the way, even Microsoft recommends you use a standard (or limited) user account. You can click on Why is a standard account recommended? for more details about that.

Now click on the newly-created administrator account name and then select Create password

Make sure your password for this new account is significantly complicated. It should contain no dictionary words or personally identifiable information (birthdays, social security numbers). It should have numbers, lowercase letters, uppercase letters, and punctuation in it, though.

So you don’t forget your password, go ahead and write it down on a sticky note somewhere near your computer. The greatest threat to your security is an online threat, not another family member. Besides, anyone with physical access to your computer and a little know-how can easily reset your password, anyway.

When you’re done, click Create password

Log out of your normal user account and log in as the new administrator account. It is not enough to switch users in this case. Make sure you properly log off.

Go to Start Menu > Control Panel > User Accounts and Family Safety > User Accounts

Click on Manage another account

Click Yes and then select your normal user account

Click Change the account type, select Standard user (also known as a “limited user”), and then click Change Account Type.

Log out of the administrator account and log back into your normal (now standard or limited) user account. You should never have to log in as the administrator directly again.

Step 3. Use Firefox with the NoScript extension

I see a lot of confused Windows users wondering which web browser is “the safest.” Is it Opera? Is it Chrome? Is it Firefox? Internet Explorer? Safari?

The truth is that if you use any modern web browser with its default settings, they’re all about the same in terms of safety. They all have pop-up blockers that block 95% of pop-ups. They all have warnings about potential spoofing websites. They all get regular security updates when flaws are discovered, and every browser has flaws. There is no perpetually invincible web browser.

If you use Firefox in combination with the NoScript extension, that’s about as secure as you’re going to get, though, since NoScript by default blocks JavaScript, Flash, and just about everything else interactive on websites unless you explicitly whitelist specific sites.

Think of your computer as an exclusive nightclub. Do you think it’s easier to secure your party by having a bouncer outside the club who screens all incoming guests, or by allowing anyone inside the club and then having bouncers inside trying to drag people out? Well, NoScript is your bouncer outsider. It’ll block everything, and then it’s up to you to let trusted websites in on a case-by-case basis.

To install NoScript, in Firefox, go to Tools > Add-ons and then click on Get Add-ons and then Browse All Add-ons

You’ll be taken to the Mozilla add-ons website. Search for noscript.

Once you’ve found it, click on Add to Firefox and then Install Now (after a three-second delay, the button will appear as clickable).

You’ll be prompted to restart Firefox to activate the NoScript extension. Go ahead and restart Firefox.

Now you’re web browser is as secure as possible. Of course, this may seem annoying at first.

Convenience and security are always at odds. It may be convenient to have thousands of dollars of cash on you at all times, because it’s always easily accessible, but if you get mugged or pickpocketed then all of your money is gone. It’s slightly less convenient to keep most of your money in a bank, but it’s a lot safer in the bank (and also insured up to a certain amount, in case the bank gets robbed).

For the first two weeks you use NoScript, it may seem pointless. It may seem as if you’re just whitelisting every single site you visit. Don’t give up. After a while, you’ll realize you’ve whitelisted just about every site you do visit regularly, and then you can spend a lot less time whitelisting (or keeping blacklisted) potentially shady websites you stumble upon on a less regular basis.

Step 4. Read up on social engineering and how to avoid being the victim of it

Have you ever heard the term trojan virus, gotten scared, and thought “I hope I never get one of those”?

Well, the good news is that you don’t ever have to get a trojan. Trojans don’t just happen. You choose to install them yourself. Trojans are becoming increasingly the most popular kind of malware, and they can thrive on any operating sytem (Windows, Mac, Linux), because they exploit a security flaw the operating systems cannot patch—the user.

That’s you. You are potentially the biggest security hole for your computing experience.

Trojans and phishing scams rely on something called social engineering, which is just a fancy term for tricking someone into lowering security guards.

It can be someone calling up and pretending to be your IT support department in order to get your password. It can be someone pretending to be your bank to get your private personal information. It can be a pop-up window pretending to be an antivirus scanner that’s found malware on your computer (and if you pay the scammers $50, they’ll remove the non-existent malware for you… or actually install real malware now that you’ve been tricked into installing it).

You wouldn’t hand your car keys over to fake valet. Don’t hand over the keys to your computer to a fake… anything (fake pirated commercial program, fake warning about malware, fake credit card company request for information verification).

Do yourself a favor. The absolute most important step to take in securing your computer is making yourself an educated user. Google the term social engineering and read the first ten results of that search thoroughly.

Step 5. Do not pirate software, music, or movies

I’m not saying if you pirate software, music, and movies that you will definitely contract malware, but by not pirating all that stuff, you lower your chances significantly of installing a trojan or some other kind of malware.

If you’re hard up for cash, the best way to look for trustworthy free stuff is to look for open source stuff.

The website Open Source Windows has lots of great free (and malware-free) software. No pop-ups. No trial periods. No scams. No activation keys. No exhorbitant costs.

You can also find some more-obscure open source projects at Source Forge.

Here’s an example of installing an open source instant messaging client.

Note that for the script that automatically starts downloading the file (without manually clicking the download link), you’ll have to whitelist the site from the NoScript icon. You’ll also have to do this the first time you watch a video at YouTube or Hulu or the first time you try to book airline tickets on a site like Expedia or Priceline.

Once you’ve saved the file to your downloads folder, in order to install it—now that you’re a standard (or limited) user—you’ll have to right-click the file and select Run as administrator

You’ll then be prompted for the super-user or administrator’s password you set earlier. Enter that and you can continue.

In addition to open source software, there are also writings, pictures, and music released under freer-than-traditional-copyright licenses. You can find more information about this at Creative Commons.

There’s also free (and legal) music at Jamendo. Really, though, if you need commercial music, Amazon’s MP3 store has reasonable prices, and even several hundred free sample tracks.

Step 6. Avoid all “antivirus” or “security suite” software

Although this doesn’t directly make your Windows installation more secure, it is a good idea for several reasons:

  • If you already have solid security in place, pretend security (Norton, McAfee, AVG, Avast, MalwareBytes, Kapersky, etc.) just takes up extra hard drive space and sometimes extra system resources. This means you have less storage space for your actual files (music, movies, documents, pictures). It can also mean your computer doesn’t run as fast as it would otherwise.
  • So-called antivirus and antispyware programs encourage complacency. Rather than being proactive about security by locking down the system and educating the user on how to avoid social engineering–based attacks, these placebos make people think they’re “protected” while wasting space, resources, and possibly money.
  • If you constantly rely on these security suites to protect you, you’re more likely to fall for rogue viruses pretending to be antivirus scans.
  • There are two ways antimalware tries to protect you—by keeping a list of known offenders and comparing files to that known list, and by trying to guess what might be an offending file or application. The list of known offenders can never keep up with actual new offenders. And guesses lead to a lot of false positives, making users unnecessarily paranoid (about tracking cookies, for example).

Of course there are always folks who will say “But I want to just run it just in case….” In this case, there is no just in case. If you follow all five of the previous steps carefully, antivirus will do nothing to protect you. And if you refuse to follow all five of the previous steps carefully, antivirus will also do nothing to protect you.

It would be like a soldier suiting up with heavy armor and kevlar and then adding a razor-thin layer of tissue to the top as “just in case” protection against bullets. If you have armor and kevlar, that’s the best protection you have against bullets. The tissue won’t be offering additional protection. And if you don’t have the armor and kevlar, again the tissue won’t offer additional protection.

The armor and kevlar in this analogy are the first five steps in this tutorial. The tissue is “antivirus” software, security suites, and all that other garbage that offers you no protection.

Hopefully you’ve found this tutorial helpful. As you can see, security woes are no reason to switch away from Windows. If you have a genuine interest in exploring Mac OS X or Linux, though, I think you’ll find them both rewarding computing experiences in their own respective ways.

Tech “journalism” strikes again: of course Apple will recommend antivirus eventually

A self-proclaimed analyst at CNET has predicted that Apple will recommend antivirus.

Apart from the fact that Apple already did recommend antivirus a few months ago (but has since removed that page), isn’t that quite obvious? Some prediction. Unfortunately, the reasoning for that recommendation makes me wonder what Jon Oltsik is analyzing. Here are the reasons he gives for Apple recommending antivirus, and they’re all pretty much baseless:

Macs users are a lucrative target. Mac owners tend to affluent and Net savvy [sic]. To the bad guys, this means identities to steal and broadband connections to exploit.

If Mac users tend to be net-savvy, then why are their machines being compromised? Why don’t they have mechanisms in place to protect themselves from identity theft? If Macs are currently such a great target for malware, why is there so little malware out there for Macs now?

Organized cybercrime is diversifying. Cybercriminals tend to work as a loose confederation with each group specializing in a certain task. There are malware writers, botnet owners, mules, etc. Some entrepreneurial bad guy is bound to see a green field market in Mac cybercrime, recruit Mac hackers, develop expertise, and market these capabilities. If there is an equivalent of a cybercrime venture capital firm, they are probably looking at business plans like this already.

Diversifying ways to compromise machines doesn’t mean you attack multiple platforms. That’s just more work for very little return.

Macs are growing in the enterprise. In many large firms, Macs make up about 5 percent of endpoints. If the bad guys infect these systems, they can troll the network looking for other vulnerabilities and juicy data at will.

How about if the bad guys infected the machines that make up 95% of endpoints? Wouldn’t that give them more “juicy data”?

Macs are fairly easy to hack. In March as part of a contest, security expert Charlie Miller won $5,000 for exploiting a hole in Safari in about 10 seconds. If he can do this in 10 seconds, how many techies can do it in an hour? This is a frightening thought to me.

Okay, now this is totally ridiculous. Charlie Miller didn’t just walk into that competition and find a hole in 10 seconds. He knew about that hole for over a year and then exploited it in 10 seconds (in his own words: “It was an exploit against Safari 4 and it also works on Safari 3. I actually found this bug before last year’s Pwn2Own but, at the time, it was harder to exploit”). There’s a big difference there.

And all operating systems have security holes. That’s why Microsoft, Apple, and even Linux distribution maintainers all issue regular updates and patches.

I don’t understand why people imagine that you either have an unprotected computer or you have antivirus. (Or they think that an operating system that ever has a security hole is necessarily as insecure as another operating system with security holes.) Antivirus and protection are not the same thing. They’re not even similar. Antivirus does not offer you any real security at all. Don’t believe me? Go ask all the Windows users infected with malware what antivirus they’re running. Odds are that almost all of them will have some kind of fancy schmancy “security” software installed… software that did nothing to protect them.

Mac OS X isn’t a model in the best security, but its defaults are certainly better than Windows’ defaults. No operating system is invincible, and that includes Mac OS X. But Mac users will be no more protected with antivirus software than they will be without it. Know what the latest security breaches were for Macs? Trojans. Do you know how useful antivirus is against gullible users installing pirated software? Not at all.

Trojans rely on social engineering, and no operating system “security” can stop that, because the security hole is the user, not the computer. If the user can be tricked into giving away her password or giving a bad program access to system files, then you can have all the proper permission level separation or “security” suites in the world, and they will all be for naught. Have NoScript installed? She’ll whitelist every site. Have an algorithm for guessing malware? It’ll give so many false positives that she’ll learn to ignore its warnings.

Why will Apple eventually recommend antivirus? Plain and simple—because antivirus software is the most successful placebo ever introduced to the mass populace. As Mac marketshare continues to grow, more and more trojans will pop up, and more and more gullible users will keep installing them, and Apple will finally have to admit that Macs are just computers and not magic. But instead of saying “Users are stupid and need education,” they’ll toe the party line and recommend people install useless antivirus software, just as Microsoft does now. At least then they can enter into lucrative business partnerships with antivirus software companies.

Break out the sheepskin condoms, people.

The antivirus paranoia culture

Recently, I’ve spent some time looking at the computer section of Yahoo! Answers, and it’s a fascinating place from a sociological perspective. If the questions and answers popular there are indicative of what common attitudes and practices are among Windows and Mac users, then this is how a typical user operates:

  • Install free antivirus software
  • Install Limewire and use it to download copyrighted songs and movies as well as software cracks.
  • Run as administrator all the time (no limited user account).
  • Get infected with a virus or rogue.
  • Ask for suggestions about a better antivirus.
  • Consider that maybe paid antivirus solutions may be more effective than free ones.
  • Consider that Frostwire may be safer than Limewire.
  • Switch antiviruses.
  • Switch P2P application.
  • Get infected again.
  • Try to remove the infection with MalwareBytes.
  • Spend hours trying to remove infections with various other programs.
  • Eventually give up and reformat entire drive without backing up files.
  • Continue cycle.

There also seems to be a popular misconception that Windows’ malware problem has to do primarily with its popularity and not any flaw in security (like running as administrator by default all the time). So when a trojan (which requires user stupidity, not a flaw in the security of the operating system) appears for Mac OS X, the Windows users on Yahoo! Answers say “Aha! See? Macs get viruses too. They’re no more secure than Windows” and the Mac users on Yahoo! Answers say “Oh, no. What antivirus should I use to protect my Mac? I thought Macs were immune to viruses.”

I hope you see the problem here. Antivirus software companies may not be so nefarious as to actually create viruses (though maybe they do—we don’t have any irrefutable evidence either way), but they have definitely created a culture of paranoia and not just healthy fear.

Most computer users are paralyzed when it comes to security. They have no concept whatsoever as to what makes a computer secure or insecure. They just think “If I run ‘the best’ antivirus software, I can do whatever I want and my computer will be safe.”

Yet, I’d be willing to bet that most of these people would be better at spotting a fake valet before handing over the keys to their cars and would know better than to actively seek out burglars to give out their bank ATM cards and PIN codes to.

What can we do to turn around this culture of paranoia and turn it into proper, healthy fear properly channeled through education and good practice?

I used to be part of this culture, back when I was an exclusive Windows user. I got malware of some kind and panicked. And I thought if I just got a “better” antivirus and changed from Internet Explorer to Firefox that my security would be so much better.

It wasn’t until I got more familiar with the worlds of Mac OS X and Ubuntu that I realized privilege separation matters. Yes, it’s theoretically conceivable that malware could infect a limited user account if it were designed that way, but if it did and was detected in a short amount of time, then it could be easily removed. Malware as it is now thrives because it digs deeply into the Windows system files so that booting into safe mode or trying to use system restore to get rid of it isn’t enough. If you use a limited user account, no system files will be affected, and if malware were ever designed to affect a limited user account, you could just delete that account and carry on.

More importantly, the paranoia comes from a total lack of understanding about how computers become infected with malware. They have the same understanding of computer diseases that “doctors” had about human diseases centuries ago. It’s a bad humor. It’s punishment for doing something evil. It’s not germs you actually have to come in contact with.

A lot of malware comes in not through software flaws but through user flaws. Social engineering is a great way to get malware installed because Microsoft, Apple, and Linux developers can do nothing about it through better programming. If you can trick the user into installing “the codec you need to watch this video” or “this pirated version of iWork” or “this cool new software,” then any kind of built-in security goes out the window.

Couldn’t these users who suffer from such paranoia and ignorance save themselves a lot of heartache if they did a few simple things?

  1. Use a limited user account in Windows
  2. Take ten minutes to read up on social engineering and how not to be a victim of it
  3. Back up personal files regularly
  4. Use Norton Ghost or Acronis True Image to image a working installation so a reinstall wouldn’t take so long
  5. Install system security updates

The way a lot of people run their computers, it’s like having rampant unprotected sex and then getting an HIV test every six months. That won’t stop HIV! Get a condom! Computers have condoms too, even though Microsoft doesn’t make them very easy to put on.

Does Ubuntu need antivirus?

This is a very common question that comes up on the Ubuntu Forums from new users migrating from Windows. The answer, of course, is “No, Ubuntu doesn’t need antivirus.” Linux (and sometimes Mac) users often get accused of being smug or complacent for saying they don’t need antivirus, so I think I have to clarify that answer for the skeptics.

What kind of virus are you looking for protection from?
I’m not an expert on all the terminology out there for malware, but there are basically two kinds of malware, when it comes to security—malware that self-replicates and infects through security holes and malware that tricks the user into installing it (what’s called social engineering).

What makes the first kind of malware such a problem in Windows (at least in XP—I’ve never tried Vista) is the default-to-administrator-account setup, which is reinforced by some programs designed for Windows requiring the user be administrator, documentation for Windows assuming you are administrator (very seldom have I seen instructions for installing a setup.exe ask you to right-click, select Run as… and authenticate with an administrator account, with the assumption that you must be using a limited user account regularly), and the inconvenience of not being an administrator all the time (Run as… is not perfect and is often difficult to use).

The administrator account in Windows has access to almost everything on the system, so if it gets compromised, the entire system is compromised. And if you’ve ever had to clean malware off a Windows computer, you know how difficult it is to get all the junk out of the registry and all the reappearing programs and .dll files out of system directories.

A limited user account, on the other hand, has access only to its own account and very few system directories. I don’t know of any Windows malware that targets limited user accounts, but if the limited user account got compromised, cleaning up the malware would be a lot easier, as you could create another account, and one by one quarantine and examine user files you copy over from the compromised account to the newly created account and then delete the compromised account.

In Ubuntu (and in most Linux distributions and Mac OS X), the default account operates mainly as a limited user account, with write access to mainly its own user directory, and then the user in the admin group (in the case of Ubuntu and Mac OS X) is able to “sudo” and temporarily escalate privileges for particular tasks after password authentication. On non-Ubuntu Linux distributions, the authentication is a temporary login to the root (total access) account.

While a lot of people make the case that separating user privilege from system privilege alone guards against malware infestation (and they probably have a point), I’d at least argue that that separation makes cleanup after an infection a lot easier. The only trustworthy cleanup I know of a Windows-compromised computer is a complete reinstallation of the operating system.

But then there is social engineering. This could be anything from a tainted email attachment a friend innocently sends you and you open to a website asking you to download a “codec” (disguised malware) to play a video. The point is that the flaw isn’t the operating system itself but you, the user. If you’re tricked into installing a piece of malware, it won’t matter what kind of security you have set up. Don’t listen to Linux users who will tell you that you have to first make a file executable and then run it. With all the “user-friendly” graphical tools now available, all someone has to do is create a malicious “cool” .deb file for Ubuntu and trick Ubuntu users into downloading it, double-clicking it, and authenticating with their password. That .deb can run any command then with root privileges and compromise your entire system. It could install a keylogger or a rootkit.

Another time you shouldn’t listen to Linux users is when they try to say a lack of malware on Linux has nothing to do with marketshare, since Linux dominates the server scene, and Linux servers are not more compromised by malware than Windows servers. While what they’re saying is true, it’s also misleading. Most corporate servers are run by trained professionals or at least knowledgeable amateurs, and they’re less likely than the general populace to fall for a phishing scam or other kind of social engineering attack. This is not, true, however, for home users. Nevertheless, the point is moot. If security by minority has any validity, I think you can rest pretty easy that within the next three years, Ubuntu won’t reach over 50% of home user marketshare, no matter how successful it is or how many “years of the Linux desktop” pass by.

But don’t Linux viruses exist?
Yes, but they are either proof-of-concept ones created for research purposes or ones that took advantage of flaws that have since been patched. There aren’t any Linux viruses that are actual threats to Linux systems. If malware relies on social engineering, though, and you’re tricked into installing it, then your system is screwed either way—running an antivirus program won’t help you.

Should you run antivirus just in case?
Well, obviously I can’t stop you. You can also wear a gas mask around all the time when walking through perfectly healthy air. I won’t stop you from doing that either. But in either case, I’m not going to pretend what you’re doing makes sense.

Most antivirus applications in Linux scan for Windows viruses, and if a Linux virus came into existence and actually was a threat, it wouldn’t automatically be in your antivirus application’s definitions anyway, since the virus is new. So you wouldn’t be protected. A vaccine against polio isn’t going to protect you from getting AIDS. Neither is an outdated set of virus definitions going to protect you against a new threat.

Shouldn’t we protect Windows users?
Some have made the case that it is our responsibility to protect our Windows-using friends and relatives by scanning files before they’re sent to Windows users. While that case could be made, I don’t think Linux home users make up a large enough demographic to protect Windows users in such a way. It’s about as effective as building a wall around a city for protection but having the wall go less than 1/10 way around the city. Great. The attackers will just go to a different entrance to attack the city. (See the first link in the Further Reading section for more details.)

This brings up a good point, though. If you’re using Ubuntu as a regular desktop or laptop computer, you don’t need to run antivirus, but if you’re using Ubuntu as a mail server, you probably should install and use antivirus. In fact, many mail servers are Linux-based, so you would be part of a very large wall—an actual first line of defense.

What good is antivirus?
I do have to say, though, I think antivirus is mainly a resource hog and almost a placebo. It’s something that makes people think they’re secure without actually making them secure. In fact, every time I’ve seen a Windows-using family member or friend get infected with malware, that person has always been running antivirus, antispyware, etc. You can’t rely on a program to protect you. You have to learn good security practices yourself—don’t run as administrator regularly, use strong passwords, learn to recognize social engineering and phishing scams, do not visit sketchy websites, etc. Relying on anti* programs for protection is like thinking the vaccinations you get from the doctor protect you against all disease in life. You can’t then just have unprotected promiscuous sex, never wash your hands, eat anything you find in the forest, and have extensive physical contact with sick people, and then expect to stay healthy.

Antiviruses operate in two ways, and ultimately neither way ends up being effective for home use. One way is maintaining a list of known viruses. Well, when a new virus shows up, it won’t be in that list before it’s done some serious damage. The other way is trying to identify malware based on the content of the file. This leads to a lot of false positives and essentially defeats the point of antivirus, since it ends up being the user deciding what files are trustworthy or not… or just getting used to overriding the false positive identification of the antivirus application to the point that it’s like whitelisting everything. I would actually argue that you don’t need antivirus in Windows either. I know that sounds brash, but I believe it’s true. If you want Windows to be secure, use a limited user account, show file extensions for all files, use Thunderbird instead of Outlook, learn how to identify and avoid social engineering, and use strong passwords.

Frankly, I’ve never seen a real epidemic threat to Ubuntu users, but if one appeared, I promise you that having antivirus installed would not protect you from it. Saying you don’t need antivirus in Ubuntu is not complacency—it’s common sense. Learn about real security good practices and stop clinging to the antivirus placebo.

Further Reading
A succinct sum-up of this rather long-winded blog post you’re reading
A short write-up on Ubuntu security
A more in-depth write-up on Ubuntu security