I’ve been considering whether it is worthwhile to run ClamAV on a Linux workstation, especially when paired with Yara rules. Is this a good security practice? How does it compare to Windows Defender’s active virus and threat protection?
ClamAV isn’t on par with traditional antiviruses on windows and mac, and it’s also significantly more limited in what it can do even if something is detected. Also it’s kind of a pain to configure and get running
2 Likes
It’s really mostly designed to detect Windows viruses being shared on a Linux NAS. It’ll catch other stuff too, but in general for single-user machines any AV is not going to be better than educating yourself about dangerous files, and can be significantly worse for your security given the access they require to scan files.
4 Likes
Plus AV software is usually spyware, installs bloatware, scareware, littered with ads. Microsoft Defender is actually the lesser evil here but I wouldn’t trust any antivirus.
2 Likes
I tried using their real-time scan function way back in 2016 when fanotify support first landed, but it basically made the system entirely unusable and required running as root.
I recently did come across a decent guide on configuring real-time or periodic scans but it seems the situation is still not great: Setting up ClamAV · GitHub
Also a fun fact: if you have clamscand running it always listens on all interfaces regardless, so if your firewalld/ufw stops for whatever reason it’ll be exposed to the public Internet with zero restrictions.
Plus it seems every few releases has a handful of memory safety issues. 
As for the database, it is like 80% Windows stuff, but you can combine it with other providers and there are scripts for importing them all.
If you actually want (or need for compliance) an AV for Linux your best option is probably one of those proprietary cloud ones (most of which charge eg $40-80 a year per machine), but I cannot actually recommend that privacy/freedom wise.
While not the same, you might consider running fapolicyd if you’re on Fedora or RHEL, it is fairly easy to configure and has some benefits. But the major downside is that it can’t actually restrict actions performed in a namespace (eg. systemd sandbox or flatpak). This is actually an issue shared with ClamAV since it is a kernel limitation of fanotify.
5 Likes
If that’s the best option then we’re better off without an AV.
1 Like
Isn’t it available in other distros? I see it in the Gentoo Wiki.
It works best on distros that use an RPM based package manager so it can automatically generate the list of trusted files and their hashes.
On non-RPM distros you have to do that configuration yourself by hand or make your own scripts.
edit:
The fapolicyd daemon can be configured to use the RPM database, the Deb database, or the Ebuild database as a list of trusted binaries and scripts.
it seems it actually supports other package managers too, TIL.
edit edit: I can’t actually find the ebuild provider, only the rpm and deb:
- fapolicyd/src/library/deb-backend.c at 764a9f969701d057f59e1b695eb724880ce9c006 · linux-application-whitelisting/fapolicyd · GitHub
- fapolicyd/src/library/rpm-backend.c at 764a9f969701d057f59e1b695eb724880ce9c006 · linux-application-whitelisting/fapolicyd · GitHub
so maybe maybe ymmv
1 Like
Thanks!
I consider my topic already addressed with my friends comments above. I can’t decide which response was better. I feel that all contributed. Thank you everyone!
No, antivirus is snake oil, and isn’t needed on Linux since you get your software from a trusted repo maintained by your distribution. Alternatively, you build your own software from source.
Anyway, ClamAV is mostly used on email servers to protect Windows clients receiving executables by email, not the Linux host.
I guess the issue becomes, what if your Linux installation gets infected with malware? How would you remove it?
2 Likes
Linux systems don’t get infected by malware in the same way as Windows systems do. It’s difficult to get malware in the first place since the primary means of obtaining software is through the distribution’s repo. The maintainers build that software from source through a process that can generally be trusted. In short, the antivirus is between the chair and the keyboard. In addition, the permission system makes it difficult for malware to effective.
If the installation was nonetheless compromised through an exploit or otherwise, the only solution would be to wipe the root partition and restore it from a backup copy.
1 Like
Strong disagree. Many packages don’t even verify GPG keys of tarballs/commits of the source even if they’re available.
Fedora used to scan all packages with ClamAV, but they don’t anymore afaik.
So if no one is actually thoroughly verifying the sources and no one is scanning the binaries, who is to say that many distros aren’t already distributing malware?
It really is not a great situation.
Putting your head in the sand by not doing any scanning doesn’t prevent there actually being anything.
And insulting the user saying it is their fault if anything happens is just wrong.
SSH was literally successfully backdoored in multiple (pre-release) distros and it was only noticed because someone was annoyed that it was slightly slower.
The one where the user has access to all the users files and there is zero sandboxing? So that Any malware can still read everything? The one where most distros add the first user to the wheel group which can give them a ton of access via permissive polkit rules?
This is false. Take a look at how many Linux servers are compromised because they had some vulnerable Wordpress plugin.
2 Likes
ClamAV won’t help you against the kind of vulnerabilities you referenced. If this was the case, every public facing Linux machine would be running AV software, but this is almost never the case.
Instead, services are run as separate Unix users. It is also very common to use containers (Docker) or VMs. Not using separate users or appropriately containerizing applications is a skill issue fundamentally; as I said, the problem is between the chair and the keyboard. Even on workstations, I maintain that you are very unlikely to get malware on your machine if you stick to your distro’s main repo.
1 Like
Antivirus is unnecessary for Linux desktop, not because of the reasons stated above. It’s solely because it’s considered a minority compared to Windows and macOS desktops. Most threat actors won’t bother writing one for Linux - most.
We’ve seen Linux systems being compromised in the past, and it’s just because the existing solutions are either too ineffective or too expensive, it’s impractical for home users to adopt an antivirus or anti-malware solution. Even then, never think that you won’t be a target, always be vigilant.
Not true at all, and a very dangerous mindset. Security through irrelevance will get you in trouble at some point. Better to focus on common sense to secure your data regardless of the OS you run on your computer.
Users and containers are not a security boundary.
1 Like
I am not sure what is, then.