The Truth About Linux and Viruses

Post date: 04-May-2010 07:40:07

Conventional wisdom says that a virus scanner is one of three protections necessary these days for computers connected to the Internet. (The other two being a spyware scanner or two, and a trainable spam filter.) The same wisdom also says that the only reason Linux and Macintosh computers don't see the same level of virus attacks as Windows PCs is because Windows PCs are so much more prevalent.

While this may be partly true, it's not the whole reason. According to various virus lists, there are less than 100 known viruses for Linux, none of which spread the way a Windows virus does. Meanwhile, there are thousands and thousands of Windows viruses. With the so-called discovery of a Linux/Windows virus, more light is being shined on the subject of Linux security.

But it's easy to protect yourself in Linux, once you know a few things about viruses under the operating system. And if you still think you need it, we're including instructions on how to use Frisk Software International's F-Prot Antivirus.

1. If you run Linux and only Linux, you do not need antivirus software. In its efforts to make Windows easier to use, Microsoft simplified the process of running executables under its operating system many years ago. Not only can a user launch a program by clicking an e-mail attachment, but it's possible for an executable to launch automatically just by hitting the preview pane of some email packages, including older versions of Outlook and Outlook Express. Scot's Newsletter Forums member Nathan Williams has provided an excellent FAQ for the All Things Linux forum explaining why Linux when used alone does not need antivirus protection.

Under Linux the steps for launching an executable from an e-mail are separate, discrete steps. A user would have to read the email, save the attachment, give the attachment executable permissions, and then run the executable. And to be truly damaging, the latter two would have to be done as root — not something informed users would allow. (For more information see Ch- Ch- Changing File Permissions.)

2. If you dual boot Linux and Windows and get a virus-infected mail in Linux, it can NOT jump to your Windows partition. Nor can it spread over the local network to other systems. You can even store the attachment in your /home directory and open the zip or click the file, and it will be dead in the water. Windows executables won't run under Linux. Linux files need to be granted permission to become executable. And even then, it can't spread beyond the home folder. (This is also why Linux AV programs do not have a "live guard" module in them — the virus does not execute or move.) You could even leave a virus executable there as long as you wanted to without risk. Windows will not get infected, unless you deliberately copy the virus to your Windows partition.

3. If you dual boot, however, you better get a good antivirus program for Windows. Microsoft's operating system and its bundled applications, Outlook and Internet Explorer, offer users powerful functionality in their attempts to be easy to use and easy to update. As a result, it's all too easy for virus writers to exploit the same functionality in a malicious way. Don't leave them an opening. Install an antivirus program and keep it updated.

4. The only time you'll need a Linux antivirus program is if you're running a mail server. And that's just good social behavior. It's not to protect your Linux server or client computer so much as to make sure you don't pass a virus on to a Windows system.

Think about it this way: If you have two warehouses, and you use the first one to store cheese, are you going to place mouse-traps in the second one where you only store stainless steel? I mean, be reasonable, mice do not eat stainless steel! So don't let antivirus vendors make you unnecessarily paranoid.

Despite my recommendations to the contrary, if after all this you still think you need AV software, I recommend F-Prot Antivirus for Linux. It has a fast scan engine it's been around since the days of DOS and has long-term proven its reliability.

F-Prot is free for home users. There's an F-Prot .rpm for Mandrake and SUSE and a .tar.gz for use with other distros. You can download it from the F-Prot site. The newest version, 4.6.6 as of this writing, introduces some changes in command line syntax, so here's a quick overview of how to use F-Prot.

-----------------------

Important: The tips in this document require the use of command-line commands. For more information about how to read and execute Linux command-line prompts and commands, please check the Linux Clues Linux Cheat Sheet, especially Linux Prompt Basics and Linux Command-Line Nomenclature.

-----------------------

To install an application, you need to be logged in as root. For a reminder on how to do that, check the Linux Cheat Sheet, Logging in and out as Root.

Once downloaded to the /Download directory type:

# rpm -ihv /home/bruno/Download/fp-linux-ws.rpm

This filename refers to the RPM version. You'll need to change the command if you downloaded the Debian/GNU or Tar versions. The number prompt lets you know you're logged in as root.

F-Prot automatically gets the latest updated virus definitions as part of the install process. To make updating the definitions simple you make a sym-link. (See Hard Links and Symbolic Links for more information.)

# ln -s /usr/local/f-prot/tools/check-updates.pl /usr/local/bin/f-prot-updates

Then to get the new virus definitions next time, all you have to do is:

# f-prot-updates

You'll see screen message indicating there's a new version of the virus signatures available (if there are), followed by a message indicating they've been successfully installed. Now let's check to make sure it works:

# f-prot -verno

Virus scans should be performed as root, because root has permissions to read all the files on your computer.

To scan your Windows partition:

# f-prot /mnt/win_c

Or /home:

# f-prot /home

Or the full "/" partition:

# f-prot /

The scan will run, followed by a screen display summarizing the findings — viruses found or not. As you can see the command does not need an extra argument, the default is -dumb -archive -packed -server.

Important Note: If you've used a previous version of F-Prot, you'll see that the syntax is different.

A quick way to get the updates and do the scan on the Evolution mail directory in one go is:

# f-prot-updates && f-prot /home/bruno/.evolution/

Getting virus definition updates automatically is a task that just cries out to be scheduled, so let's set up a cron job. (For more on cron jobs, see Taming the Cron Daemon.) Start with:

# crontab -e

This opens a file in Vi. (For more on the Vi editor, see The Vi Editor.) Just add this line in Vi:

0 4 * * * /usr/local/f-prot/tools/check-updates.pl -cron -quiet

Now cron will get the updates at 4:00AM every day, notifying you only if there was an error getting the signature files.

Installing and updating the software is good, but to protect your computer, you need to also perform virus scans on a regular basis. So let's create a cron job for that too.

0 5 * * * /usr/local/bin/f-prot / -report=/root/f-prot-report.txt

Cron will do a scan of / at 5:00AM every day and send a report to /root/f-prot-report.txt.

Now you're a good Linux citizen.