Linux Myths Series: Linux doesn't Need an Antivirus


Linux fans seem to reject anything that's related to the world of Windows, meanwhile they kinda sorta overlook the following facts again and again and again:

  • A lot of open-source software repositories over the years have been breached while the source code stored therein was modified and in certain cases people using it have been owned.
  • Likewise, certain distributions have had their infrastructures compromised (e.g. it happened to Fedora a few years ago) which could very well mean that users might have downloaded and installed updates which infected their systems almost permanently.
  • Most open-source projects accept code submissions from strangers and it's not exactly obvious that these submissions (bug fixes or new features) are what they really are and if they don't have cleverly hidden backdoors.
  • Absolute most distributions' maintainers are not qualified or do not have enough time and resources to verify new software releases which are then pushed to distributions repositories automatically without any formal verification which opens the door to backdoors.
  • Here's another common scenario. It's not feasible or realistic for distributions to include all the open-source software in the world which means the user then proceeds to install it from 3d-party repositories or compile it from sources. The average user is even less prepared to verify such code and to add insult to injury most distributions don't offer any GUI tools out of the box which allow the user to run the software in a sandbox. While firejail and similar tools exist, they are far from user-friendly and most tech-illiterate people will never touch them.
  • The same applies not only to open-source software but to proprietary software as well.
  • Here's another security issue which for instance firejail cannot solve: under Xorg which is still used by absolute most Linux users, apps can sniff one another's mouse/keyboard/whatever input and grab the entire app area which makes running commercial proprietary software, e.g. Steam, quite an intricate issue. Running Steam in any sort of jail/virtualization environment is unfeasible for many reasons.
  • Many proprietary applications can only be successfully installed under sudo or the root account which is a nice and easy way to compromise a computer.

Again, people often argue that many users can be fully satisfied by running only the software offered through official channels of their chosen distribution but that again brings us to the issue of distributions doing a really poor job of vetting and formally verifying the software they include. It's understandable that large software projects like the Linux kernel, the Glibc library, Firefox or LibreOffice have an infrastructure and organization which could safeguard them from including backdoors but even that is not certain as the Linux kernel has seen quite a lot of fixes over the past three decades which then were discovered to contain major vulnerabilities.

Lastly, let's talk about how malware is usually distributed in the world of Windows and if Linux users might be compromised the same way:

  • Through drive-by downloads which won't work for absolute most Linux users as files need the executable bit to be set to run and most users simply don't know anything about that.
  • Social engineering: the attacker may contact you via email/phone/instant messenger and give the instructions that many users will follow blindly and by doing that they will install a piece of malware.
  • Another less common way nowadays is through malware on removable storage which might work for Linux users as well. E.g. all native Linux filesystems feature the executable bit and then all the files on the FAT32 filesystem are executable by default unless a partition is mounted with "showexec" or fmask options.

As you can see, having a decent antivirus in Linux is not that a crazy idea.

Case 1 in point: in April 2021 security researchers found malware, named RotaJakiro, which had been undetected for three years.

Case 2 in point: in June 2021 Google released the SLSA framework to partially mitigate the issue of "bad" commits to repositories however I don't see it being used or implemented on a wide scale any time soon. Also it doesn't address the issues raised here.


© 2021 . Last revised: . The most current version can be found here.

All rights reserved. You can reproduce the entire text verbatim, and you must retain the authorship and provide a link to this document.

blog comments powered by Disqus

Return to the main page.

free counters
Viewable With Any Browser Valid HTML5! Valid CSS!

Back to top