SEARCH

The How-To Geek Forums Have Migrated to Discourse

How-To Geek Forums / Linux

AV

(7 posts)
  • Started 1 year ago by Mike1030
  • Latest reply from BobJam
  • Topic Viewed 1074 times

Mike1030
Posts: 1021

Of the 2 Clam AV or Avast, should I install on Ubuntu 12.04?

Thanks.

Posted 1 year ago
Top
 
BobJam
BobJam
Posts: 1052

Either, or both. Neither has an on-access scanner for Linux (actually, don't know of any that do), so you can safely install both because neither would run on-access scans in the background anyway ("TSR" in Windows lingo, "daemon" in Linux lingo.) You will have to run on-demand scans for either. Just don't try to run the on-demand scans at the same time.

The reason I say "both" is because one may catch something the other doesn't. Both are mainstream software, just make sure you keep the definitions up to date.

And if you post on a Linux forum, you likely will run into arrogant users who will tell you that Linux is "immune" or otherwise "doesn't need a virus checker". B.S. NO OS is immune (arrogant Apple users found that out a few years ago.)

There are Linux viruses in the wild . . . granted, only a few but that's mainly because Linux has a very small market share compared to Windows. Malware writers get the biggest bang for their buck with Windows viruses.

And crossplatform malware is becoming more common.

There are two Linux rootkit checkers that I know of . . . both CLI utilities.

So, Linux malware IS out there, and you are wise to check your system.

But as long as you install software from the repositories, DON'T run as root, and use a link checker (like WOT or McAfee or Norton, and brethren) and don't visit questionable web sites (IOW, practice "safe surfing), you will minimize your risk.

Be aware, though, that there is no such thing as 100% security (unless you encase your machine in concrete and never connect to the Internet), so you should run malware checks periodically (at least once every few weeks, preferably more often if you're a security freak like me.)

Again, in answer to your question, I would install both (Avira has a Linux version also, but it's CLI only and difficult to set up and use unless you're an experienced user.) I have both Avast and Clam (tried Avira but didn't like it) and I use them often, plus I do rootkit checks also. Probably overkill on my part, but as I said, I'm a security freak.

Posted 1 year ago
Top
 
Mike1030
Posts: 1021

Thanks BobJam for sharing your expert views.

What are the two Linux rootkit checkers. . . both CLI utilities.

And how do you install Avast & Clam AV on Ubuntu?

Posted 1 year ago
Top
 
BobJam
BobJam
Posts: 1052

Stand-by . . . composing reply.

Posted 1 year ago
Top
 
BobJam
BobJam
Posts: 1052

The two rootkit scanners for Linux are: Rootkit Hunter and Chkrootkit (actually, there's at least one more that I know of, but I use Rootkit Hunter and Chkrootkit.) And downloading, installing and using AVAST and ClamAV is maybe not as straightforward as you'd like.

Stay with me on this, 'cause this is going to be lengthy. There's a reason this is going to be long-winded, and I'll give it at the end. (A lot of my posts are lengthy, but for no particular reason other than I'm a bag of hot air. This one, however, is long for a purpose.)

Depending on your distribution and software sources, ALL can be found in Synaptic (just search in Synaptic), so you might think they'd be easy to install . . . not necessarily. As far as different distributions, my Ubuntu 12.04 distro DOES NOT show Avast in Synaptic, while my Mint 12 DOES. I'm too lazy to compare software sources and see what the determining repository is, but that's academic anyway 'cause you can download and install Avast right from the Avast site: http://www.avast.com/linux-home-edition .

I'm normally a repository kinda' guy, but if you can't find Avast in Synaptic, go ahead and download it from the site above. My own preference is to download it from the Avast site (for my reasons, see below.) BUT, before you open it, read through the section below on "Avast". You should be able to find the two rootkit scanners and Clam in Synaptic, so you can install them from there if you want. The same applies here though . . . read through the respective sections BEFORE you use Synaptic.

I have 12.04 on one partition and Mint12 on another. Most of this is written from the Mint12 perspective, and a lot of it would be the same anyway. There are a few nuanced differences between the two, but if I pointed out the 12.04 nuances, this would be a lot lengthier than it already is.

And I'm going to jump a little ahead on Clam here. In Synaptic there is "ClamAV" and "ClamTK". ClamAV is the command line version. ClamTK is the front end GUI. So if you want the GUI, you need to install ClamTK (and it will install ClamAV as a dependency anyway.) BUT, read the "Clam" section below BEFORE you even consider Synaptic . . . you may not want to use Synaptic.

ROOTKIT HUNTER
Let's take Rootkit Hunter first. The latest version is 1.4.0. In Synaptic, your search would be "rkhunter". The version I get in Synaptic is 1.3.8, significantly old and likely out of date. You can find the latest version here: http://rkhunter.sourceforge.net/ . Read through that page and decide if you want to use that version. There have been some significant changes, but if you want an easy go of it rather then messing with a tarball, go ahead and use Synaptic.

On that 1.4.0 page is a link to http://sourceforge.net/apps/tr.....wiki/SPRKH , which is a good overall use tutorial. I recommend reading through it. It has a pretty kool flow chart that shows a lot.

Another good rkhunter tutorial is here: http://www.aboutlinux.info/200.....ts-in.html . Pay particular attention to the section on updating the rkhunter database. It is essential that you have an up to date database.

BUT, see my caution about where to run rootkit scans FROM, below.

CHKROOTKIT
This is also in Mint12 Synaptic. Just search "chkrootkit". The version in Synaptic is 0.49, and that is the latest, as far as I know. So, using Synaptic for this download is fine.

To start looking for rootkits, just run "sudo chkrootkit" (WITHOUT the quotes.)

BUT, same caution applies here as in rkhunter.

ROOTKIT SCANNER CAUTION
So what is this mysterious caution?

Well . . . first of all, you have to understand a little about the nature of rootkits. Basically, they attack and infect your system kernel, and often can gain root privileges ("administrator" privileges in Windows), and can even hijack your rootkit scanners and make them show clean results.

If you're infected with one, there is no safe way to eliminate it from WITHIN the rooted operating system, because if your kernel is compromised, you can't trust anything it says about your files, etc.

Consequently, you want to run your rootkit scanner FROM OUTSIDE THE OS, like from a USB stick or a customized LiveCD ( http://www.howtogeek.com/10973.....cd-or-usb/ BTW. "uck" is in Mint12 Synaptic.) Running it from within the OS is not trustworthy.

Fortunately, the incidence of a rootkit on a desktop-usage Linux system is very low. The odds are a little worse for a server-usage installation, but still very low.

CLAM
As I said, ClamTK is in your repository. BUT, the GUI version in the repository is 4.32. The latest GUI version is 4.42 ( http://clamtk.sourceforge.net/ ) Plus, the package from the repository shows the engine as out of date:

(BTW, it shows "Last scan never" simply because I've never used the one from the repository.)

The GUI won't update and it won't update the engine:

I could maybe live with the GUI being out of date, but the out of date engine is the deal breaker.

There is a way through the terminal to update it all, but it's very complex and tedious.

Just flat out easier to install the latest in a .deb from the ClamTK web page: http://clamtk.sourceforge.net/

Scroll a little more then halfway down and click on the "Debian/Ubuntu" link under "Downloads". Double click that .deb. It works just fine in Mint 12. The download will be "clamtk_4.42-1_all.deb", and it will open like this:

Be aware, though, that you will get the typical "use the repository" warning when you run that downloaded .deb:

Just click through it and install the .deb.

AVAST
Again, this is in the Mint12 repository, but you can just as well download it from the Avast web page, http://www.avast.com/linux-home-edition . In fact, and here again I'm violating the "repository rule", go ahead and download it from the site. Coupla' reasons for that.

Downloading it from the site will ensure you have the latest version. That may not be critical in other areas, but for an antivirus program you want to make sure you have the latest. Plus, you'll have to get a license key (even for the free version, which is what you'll be downloading), and you'll be right there on the site to "register".

Now there is a major flaw in Avast when you first try to run it. (Well, the flaw may be the Linux developers, depending on how you want to argue it.)

When you first try to run it, you'll get this:

But don't worry, there's a way to solve this.

I'm going to simplify this explanation.

For some reason, the developers alloted an anemic size in /proc/sys/kernel/shmmax:

(Remember, I just said this was a simplified explanation. There's a lot more to it than what I'm saying, but you don't need that information.)

Again, though, you needn't worry. There's a fix.

In the terminal, type in "gksudo gedit /etc/init.d/rcS" (WITHOUT the quotes.)

Now add the line "sysctl -w kernel.shmmax=128000000" (WITHOUT the quotes) and put it just above the line "exec /etc/init.d/rc S".

The file should now look like this:

#! /bin/sh
#
# rcS
#
# Call all S??* scripts in /etc/rcS.d/ in numerical/alphabetical order
#

sysctl -w kernel.shmmax=128000000

exec /etc/init.d/rc S

Now save that file.

To confirm it took, in gedit navigate to /proc/sys/kernel/shmmax.

It should now look like this:

What you've done, essentially, is alloted a larger block for some BIG Avast files. (BTW, if you update your kernel, you'll have to do this all over again for the new kernel.)

For those that don't know this manipulation, they probably walk away in frustration thinking "Avast doesn't work in Linux".

So now you should be able to fire up Avast and enter your license when Avast gets around to emailing your number (usually within 24 hours, but make sure and check your junk or spam folder . . . sometimes that email from Avast will get routed there. Plus sometimes they are tardy on the delivery, so you may have to give it a day or so.)

OK, that's the install routine for the rootkit scanners and the antivirus programs.

Now this is VERY IMPORTANT for you to realize. There are no automated rootkit removal tools for Ubuntu, only tools to check for rootkits, and, as far as I know, there are NO virus removal tools for Linux. The rootkit scanners will simply detect an infection and nothing more, and the best you can do with the antivirus programs is put the infected file, if it finds one (and I'd be surprised if they did), in quarantine. But they will not "repair" the file, like some tools in Windows would (I'm thinking of ComboFix, which is a WINDOWS removal tool . . . there is nothing like that for Linux.)

But that's just as well, because if you find an infection (a Linux virus, that is . . . if it's a Windows virus, it won't impact Linux), you should just flat out reinstall (either with a LiveCD or this method, which I recommend: http://ubuntuforums.org/showthread.php?t=35087 ).

That's because when you try a removal routine (unique to Windows anyway), you'll never know if you got it all. Rootkits, especially, are very hard to remove. Better to just flat out restore a clean image, and that way you'll be sure it's gone. The only time a removal routine makes sense is if the user hasn't backed up data on removable media, and removal is the only option to save the data. That's why it's always critical to . . . backup, backup, BACKUP!!!! (And use removable media for your data, like a USB stick or an external HDD.)

And here's another important thing to realize. These scanners, both rootkit and antivirus, are ON-DEMAND only, out of the box. IOW, they won't check your files in real time (ON-ACCESS scans). You can make them on-access scanners by using a program called "DAZUKO" (and making them daemons . . . "TSR's" in Windows lingo) in conjunction with the antivirus program, but it's heavy on terminal commands, buggy, and is no longer maintained. Avira developed it, but then dropped it. Even I, security fanatic that I am, think trying to make antivirus programs in Linux do on-access scans is a bit of overkill.

You can try to do so, but you really don't need to.

A word on "Security Best Practices". This is essentially common sense. One of my favorite quotes is "Ultimately, the only protection against phishing, forged Web pages, downloading malware, and other threats is the technology located between the user's ears."

Things like NOT clicking on links you get in emails from either less-than-security-conscious individuals or completely unknown individuals, or opening attachments in emails from those same folks, or links in IM's, or visiting questionable web sites, or keeping your virus defs up to date, are examples of "Security Best Practices". Here's something I wrote years ago when I was a Windows kinda' guy, and while some of it doesn't apply to Linux (most does, though), and some of it is out-of-date, the principles are still good: http://forums.techguy.org/tech.....tices.html . Incidentally, read through that whole thread, you may get some good ideas from it.

I said at the beginning that there was a "reason" this was going to be long.

Here it is.

If you don't have a headache by now, you've either not read through or you're super-human. I have a headache myself reading back over this.

And that's the crux of the "reason". The complexity and tedious detail should give you a flavor of this security business in Linux, AND CONVINCE YOU THAT PRACTICING SAFE SURFING AND SECURITY BEST PRACTICES (WHICH MEANS MOSTLY EXERCISING COMMON SENSE) is a better alternative to this rootkit/antivirus business. I'm not saying that you don't need to run a rootkit scan or an antivirus scan now and then, and can get by JUST with safe surfing and security best practices. But what I am saying is that the urgency of running a rootkit and antivirus scan can be significantly reduced by just safe surfing and security best practices.

Here's what I recommend you do. Play around with rkhunter and chkrootkit 'till you're confident that you can run them "right", the rootkit scanners from a USB stick or a customized LiveCD of course. Practice running Avast and Clam also . . . just get familiar with them. When you're confident that you've run them properly and they show no detections, IOW you have NO infections (and I'm almost 99% sure that will be the case), THEN make an image (Again, see this thread for how: http://ubuntuforums.org/showthread.php?t=35087 . Old but still valid.), store it on a large-capacity USB stick, and you will always have a "clean restore point" (to use a Windows term) you can use if you get infected.

It may take you about 20 minutes or so to restore the image, but that's a heck of a lot better than the several days or more it might take to remove the infection (if that's even possible . . . as I said, as far as I know there are NO malware removal tools for Ubuntu) and you'll never be sure you "got it all". Restoring a clean image removes that doubt. And you will have peace of mind that if you ever DO get infected (unlikely if you surf safely and exercise security best practices and use Linux, but still possible), you'll be able to recover quickly.

And if you DO have a Linux infection, especially a rootkit, get off line IMMEDIATELY while you install the clean image.

BUT, as I keep saying, it's likely that you really don't need to go through all this as long as you surf safely and use security best practices, and use Linux. I just do it because I'm a security fanatic.

Posted 1 year ago
Top
 
Drizzle
Drizzle
Posts: 2045

Phew!!!!!! Think I will stick with ( as you keep saying.... SS (surf safely):):)

BUTTTT it only takes one wrong click Doh!!!!!!!!

Posted 1 year ago
Top
 
BobJam
BobJam
Posts: 1052

Clarification: On that issue that the Linux market share is much less than Windows, thus malware writers get the biggest bang for their buck by focusing on Windows instead of Linux: The “official” position (Linux Documentation Team: https://help.ubuntu.com/community/Antivirus ) is that this is "flawed reasoning" (see the link for more info on this). I'm not going to argue that point here (though I can think of several counter-arguments), but the Linux position on this reinforces what I think is a false sense of security and seems to be a bit arrogant.

Posted 1 year ago
Top
 



Topic Closed

This topic has been closed to new replies.

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!