Antivirus Software for Linux – what I found. (UPDATED)

14 November, 2008 at 2:11 pm Quintin 14 comments

So as per my previous post I decided to install antivirus for Linux. My inner geek awakened I decided to Google and see what other options are available besides ClamAV

(For those of you who read this before – I updated the ClamAV section)

The answer is: Not Much.

Those that are available are not very good either. Here are the two I eventually installed:

ClamAV

Available from the Repositories it is a natural choice. It has a GTK front-end, but it is crap. It looks ancient, and does not function well. I sat waiting for about an hour for a scan and eventually decided to stop the scan of my /home/ folder.

Result? No files scanned.

It insists that the clam engine is out of date, and is s-l-o-w

The command-line scanner is much better. It is quicker and actually seems to scan stuff.

The ClamAV command-line scanner did pick up three infections (see below) but the command line scanner simply finished with “Infected files found: 3.”

That’s it – no option to delete, repair or even an indication of WHICH files were infected. I had to re-run the scan and pipe to grep -v OK in order to read where the infected files are.

I am sure there is a command line option to highlight infections, and I am trying to find a way to tell ClamAV to delete infections.

AHA!

Right these options seem to be available:

clamscan -i = only print infected files
clamscan –remove = remove infected files (it notes in the man page “Be Careful.” so I guess remove means remove, delete and possibly trash your install – have a nice day!)
clamscan –bell = sounds a bell on virus detection
clamscan –move=DIRECTORY means to move infected files to a directory, a copy option also exists

So, with a little bit of digging I got the command-line version of ClamAV working. Not reccomended for newbies though – use with care, especially the –remove option.

(Update)

I installed Intrepid Ibex for a friend today and installed ClamAV for him. It seems that the version of Clam for Intrepid is heavily updated. The interface is much nicer, scanning is a whole lot quicker and updating the virus database is much simpler.

Open Source for the win, it seems.

AVG Free for Linux

I am an AVG fan. On the Windows platform the free version punches way above it’s weight as far as AV scanning is concerned – out performing heavyweights like Norton by a large margin.

On Linux it sucks though – to be blunt.

The GUI is bare, and it is obviously a bit of a second-tier project by the AVG guys. The scanner bombs out for no apparent reason, and does not seem to scan recursively beyond the first level. If I scan / for instance it will only scan down to /home, and not down to /home/username/otherdirectories.

The command line scanner that is (much to my geek joy) included in the download is not much better. The recursive option seems to have the same problem as the gui and it bombs out with error messages.

Running the command line scanner with the -smart option seems to fix that problem, as well as the lack of proper recursive scanning. It still seems to miss a lot of files though… and no virus detection, even when I point it to the infected file and tell it to scan that file.

What I do like about it is it’s speed. Much quicker than ClamAV – by miles.

It also seems to be a serious product in the making, with various binaries available. I simply downloaded the .deb and installed it, no hassles. Updating the database was a sinch, different from ClamAV where I am still not sure if I am running the newes AV signatures.

It offers heuristic analysis, but AVG for linux is basically useless since it scans maybe 10% of all files on my laptop.

I have to specify each directory and scan it separately and then every subdirectory requires a new scan.

As noted below AVG did not detect any of the infected files that ClamAV detected, and neither is there a man page for this program. Appending the –help option to the avgscan command gives a few command-line options though, but no -r for recursive.

A good start for the future nonetheless.

Avast! antivirus.

Next up I ran into a Linux version of Avast! (okay I am dropping the exclamation point from now on – it confuses me while I am typing) and downloaded it.

Disclosure – I am not an Avast fan. Better alternatives exist for the Windows platform – AVG is one of them – and I am going into this with some trepidation. Although Avast is a powerful and full featured suite it often lends Windows boxes without connectivity due to it’s buggy firewall.

Given the poor performance of AVG I downloaded Avast and was quite interested what would happen. First off, no menu entry for the program, I had to drop down to the command line to launch it.

Strike two is the registration window that failed to launch firefox, I had to register manually. (Note that I have absolutely nothing against having to register my product)

Updating the virus database went better than with ClamAV, but takes forever ( I am actually writing other parts of this entry while waiting for it to finish… and I am now just sitting here and waiting for the update to stop downloading… stiiiil waiting… ack!). There is only a progress bar, and no indicator of how large the file is. Given that the Avast download was only 10mb (as opposed to 47mb for AVG) I am guessing it comes without any virus libraries. My first scan (before updating the AV database) not returning any results seems to confirm that.

After the (long!) update of virus definitions I have not detected any viruses with this software – even though I know at least one trojan is lurking in my inbox…

Again Avast runs it’s scan much quicker than ClamAV does – the “thorough” scan is a bit slower than the “standard” scan, as can be expected.

Panda For Linux

Another product that I do not particularly like on the Windows platform.

Interestingly the Linux version of Panda is freeware (or shareware depending on where you happen to be on their site at a given moment) and that is points in their favor.

Whereas the other big name Antivirus products needed only the installation of their binary file, the Panda binary needed a dependency to be downloaded. Also upon installation a blank dialogue box appeared asking if I agreed to the license agreement. Not knowing what I agreed to I said yes – if only to be able to test their product. (Panda I know who to blame if dudes in suits show up at my door.)

The Panda installation adds it’s own submenu to the menu on my Linux Install – and when I launch Panda it places a quickstart button next to my clock – very Window-esque. Althoug it is listed as “Freeware” and the pop-up box says “Panda Freeware” it notifies me that this is a 90day trial.

“Freeware” it definitely is not.

So I click around the Panda options and I cannot for the life of me find the “Scan Now” option… clicking the “Open Panda for Linux” button does nothing, so I smell a bug that is stopping it from working… I think. The lack of feedback is frustrating.

I can “Disable Permanent Protection” though, and after entering my root password it is disabled.

If I can get a way to scan my computer with this suite it might well be the most polished Antivirus suite of the lot if looks are anything to go by.

I cannot find anything though – so I am guessing live protection is all that it offers…

I cannot comment on how well it detects viruses until I figure out a way to make it scan a specific directory.

Also of note is the “Low Protection” warning that informs you that you should install automatic file protection, so other than using resources I am not sure what exactly Panda does…

Running TOP I notice panda is definitely running in the background – although it does not seem to be doing much:

3476 root      20   0 15644 2704 1336 S 0.0 0.3   0:01.08 pavdsksm
3480 root      20   0 26320 4548 3764 S 0.0 0.6   0:00.08 pavdsksysm
3502 root      20   0 32748 1880 1560 S 0.0 0.2   0:01.64 pavdskscheduler

It bothers me that it is running as root without notifying me. If I were a new user I would never have figured out that Panda was running in the background, as root no less. I am definitely removing this, it is currently useless and I see an avenue for attack on my system.

Hopefully it works better upon the next release.

Antivir Workstation

Thanks to one of the commenters I am now also giving Antivir a go.

Different from the others it does not feature a binary installer, but a shell script. It does an admirable job, with lots of prompts and questions. A notable hurdle is again the license agreement which I could not scroll through.

I selected agree and went about configuring my installation.

Like Panda, Antivir features resident protection – a bonus. I cannot find the gui for now, and currently the command line based scanner is churning through /home

I note with interest that scan recursively is -r when using the other scanners, while here it is -s for “scan subdirectories.”

Updating the virus database went smoothly – and since Antivir consistently scores high(est) in software comparative reviews for detection I have high hopes.

Right off the bat I get much better feedback while scanning than I did with any of the others – it seems to be working my hard-drive extremely hard as well, and this is with a vanilla scan with only -s selected.

I notice that while I am scanning Antivir connects to the internet on port 80. Could it be that this software “phones home?”

If that is true this software is automatically disqualified – unless it is downloading updates on the fly while a scan is running – interesting since Antivirus software normally do the one or the other, never both at the same time…

Antivir did not pick up my baddies hanging around though…

For interest sake the comparative outputs of ClamAV and Antivir upon scanning ~/.local (where I left a virus in tact)

ClamAV:

———– SCAN SUMMARY ———–
Known viruses: 463218
Engine version: 0.92.1
Scanned directories: 95
Scanned files: 538
Infected files: 1
Data scanned: 115.59 MB
Time: 69.789 sec (1 m 9 s)

And Antivir:

—— scan results ——
directories:       95
scanned files:      626
alerts:        0
suspicious:        0
scan time: 00:00:03
————————–
Thank you for using AntiVir.

I immediately note two things (apart from the missing Virus flag in Antivir’s case)

Look at the difference in time taken! ClamAC is slow compared to Antivir – 20times slower!
Look at the number of scanned files – Antivir scanned more, yet yielded less results.

Another win for ClamAV – if only because it actually detected the infection.

What do they detect?

Windows Viruses.

As far as I could glean from various forums and news articles Linux AV programs do not have detection rules for Linux targeted viruses. So if a Linux virus breaks into the intarweb tomorrow we are all basically screwed as far as detecting it goes.

These programs do not support Active Scanning either, well with the possible exception of Panda that is. They need to be run manually from time to time, and this might cause problems for lazy users.

What did I find?

Lo and behold – three infected files. All of them are identical – ClamAV found:

/home/xxxx/.local/share/Trash/files/thunderbird/vdawn9jc.default/Mail/Local Folders/Inbox: Trojan.Agent-49495 FOUND

Trying to detect this infection with the AVG command line scanner proved futile. Even after I managed to convince the AVG scanner to scan that file (it took three tries!) it did not pick up the infected at all. Avast! failed as well, and Panda… well I don’t know… really, I don’t! If Panda is in fact keeping an eye on my system it has not detected anything so I mark that up as a failure on it’s part as well.

Summary

One thing all of these Antivirus suites seem to have in common is an UGLY user interface (with the possible exception of Panda) and they seem to be very early renditions of their windows counterparts. Antivirus vendors seem to be early in their foray into the Linux market – and more power to them for trying! That is barring ClamAV which seems to have been around forever.

I would stick to ClamAV though – even with it’s buggy and old Gui interface. At least it seems to be able to detect virusses – something which none of the other offerings did, with the possible exception of Panda, and that said I am still not sure what exactly Panda actually does!

Other Options.

Apparently there is not much available!

The four options I reviewed are ALL that I could find in about an hour of searching. F-Secure’s Linux page “cannot be found” and other AV scanners are either defunct Sourceforge hosted projects or simply do not exist for the desktop.

I did find a few versions for servers, but they are basically useless for the Linux desktop user.

AVG’s Linux version seems to disappear from their site just before the release of a new version of AVG as well, probably in preparation for a new version, so maybe today I just missed an alternative.

If you do know if a Linux Antivirus program that I should try let me know!

No related posts.