Sunday, February 3, 2013

Should you use a virus scanner on Linux?

I've just been reading a whole lot of dross about virus scanners in schools. I call it dross because it's one of those things that always had me incredulous about MS Windows. When buying a new machine, normally with Windows unfortunately (I still value the choice of machine over the Redmond tax), the sales man offers to sell me a virus scanner which isn't just a virus scanner! It'll take care of spyware as well!. They often give me a blank look when I tell them that the first thing I'll be doing is getting rid of Windows. They normally make the offer again.

It feels to me that I'm buying a leaky bucket and a patch kit. Why is this considered normal?! Every now and again I get asked about virus scanners for Linux from Windows users trying Linux for the first time.

Most of the viruses I know of in Linux attack very specific versions of a particular distribution of Linux. Things like the Ramen worm. And thus, I've been able to take it as a point of pride that my a great deal of my system's resources don't need to go into running a virus scanner. I remember turning off the virus scanner in order to play certain games which needed those resources.

So not only, when running Windows, do I find people spending money on a virus scanner, but also they're having to pay for the computing resources to run it. Hardware, running costs (electricity) etc. It's the leaky bucket that keeps on giving!

So when should you run a virus scanner? I'm of the opinion that it's great for mail servers. But what about your standard desktop? Wikipedia have a list of malware for Linux here. The Mac OS X list is pretty small too - though it seems to mainly center around "social engineering" - that is, relying on the user to get past security (those pages that tell you that you have a virus and should install X piece of software to get rid of it).

I've heard the argument, time and time again, that Linux and Mac OS X enjoy a certain reprieve as they're not as widely used as Windows. What has become obvious to me though is the growth in viruses hasn't been in proportion with Windows.

And now conspiracy theory time... It's normal to buy a virus scanner for Windows and without a few scares, it wouldn't be quite as lucrative a market. What if the only people who had an interest in virus' on platforms were the ones making virus scanners? Selling software for the Linux platform has never really been easy and given the income generated by corporate Windows users, would targeting what is essentially a niche market (Mac OS X) make any sense?

The funny bit though, when computer talk about virus scanners, they talk about all 3 platforms. I'm not convinced. I think it's really hard to justify on both Mac OS X and Linux. But it's the norm right? ISP's everywhere are telling you that you should install a virus scanner. Hell, I'm sure Netsafe carry the same line.

What if people just swapped their leaky bucket for one that worked?

Amendment 4/2/2013
I just had a thought. Tonight at around 10:30 I had one of those silent calls that eventually ends in a "goodbye" in an automated female voice. A quick search on the Internet reveals that it's an approach used by scam artists - apparently the dailer does all of the hard work of finding someone at home willing to pick up the phone. Once the phone's been picked up, it attempts to find an operator on the other end. If one's available, you're connected to an "operator". Online reports show that it's most frequently those MS virus scams - claims that they're technicians and they've found a virus on your machine which they'll gladly fix for you remotely for a couple of hundred dollars.

How many times have you received a virus warning via email only to:

  1. Look at the format of the thing - if it's got more than 2 different fonts and about the same for font sizes - and uses bold in the middle of the text it's almost definitely a fake though I did at one stage inquire about getting my LPIC (Linux Professional Institute Certification) from Seek learning and got an email back that didn't pass this test - and think this is hinky?
  2. Did a little bit of research on the Internet to discover it's a hoax?
  3. Forwarded it, being a "conscientious" (gullible) person,  only to get back a reply back saying it's a hoax and to stop forwarding such rubbish?
Viruses have a much worst effect - they have people installing crap (Win7 Defender), willing to pay stupid amounts to get rid of suspected viruses (otherwise the MS virus phone scam wouldn't be successful) and of course, Hollywood has people looking out for things like screen glitches...


  1. Such a nice post, now i sharing information about ..Best Free Online Virus Scanners for your consideration

    1. The other day I was moaning about having spent around 3 days on installing Windows XP for someone when a person I'd just met and particularly disliked almost immediately noted that if I'd been a Windows person I'd probably have been more prepared. Who knew you needed a 200MB download (service packs) to get the usb ports working? (this guy made other claims like "The Internet boom wouldn't have happened without proprietary software" whereas my view is that it happened in spite of proprietary software).

      Anyway - I note this because online scanners are one of those things that I knew about back when I did a lot of Windows stuff. What you've failed to mention in your comment is that all of those online scanners are Windows only. So... do the whole waste of time scanning thing or get an OS that makes these things almost completely redundant.

  2. I found this blog by accident and found it rather amusing. I hope these comments are of some benefit to you.

    When talking about viruses, what you are actually talking about is security. Viruses are another mechanism to breech a 'systems' security, and such threats are not limited to any one operating system. This has been proven with history, especially recent breeches of coporations networks, including but not limited to android powered mobile devices running on a derivation of linux. Intrestingly, windows phone has no such threats yet ;)

    Gauging by your comments, it appears you are running your linux machine without any security. To say you have atleast 'some' protection such as a basic firewall on your linux machine would contradict your entire belief that only windows is the problem.

    On your blog you could focus on aspects of linux which 'limits' damage from a potential virus related threat, rather than cite a default windows install, albiet incorrectly, being any less secure than a default linux install. For instant you could talk about kernel and user spaces in linux and how this works in order to reduce, not eliminate, potential threats.

    When discussing security of any system, you need to make it clear what the most dangerous threat is. That threat is the one you cannot detect. Why not issue the following in your shell 'ps -ax'. Look at all those services, are they all secure? How do you know they are secure? What if one of those services are breeched in your machine, what machanisms have you got setup which will immediatly alert you that something is trying to gain access?

    Additionally, you inference that schools spend money when using windows, and not when using linux is farse.
    With windows you simply install a security software with real time monitoring (that use of resources you spoke of), and microsoft security essentials comes free. With linux, you would need a system administrator well versed in linux security, and they do not come cheap. For network security, a systems administrator is required regardless of OS, and for linux, they don't come cheap either. Also education is all about teaching things to children that they are likely to use in future and given that windows desktop is the most widely used operating system, it makes little sense to install linux in schools in the first instance. This is obviously not about which OS is better and therefore irrelevant.

    Windows security has advanced greatly and you might want to read a little bit on them atleast to help you. For instant windows 8 provides support for the UEFI BIOS, a system which checks on bootup whether your operating system has been tempered with.
    Additionally windows 8 provides 'guard pages' which prevent malware corruption of memory. It also makes it much harder for the malware to attack kernel space and application space. It doesn't stop there, it also provides much tighter control on memory allocation preventing buffer overruns.

    There are other powerful techniques 'supported' to reduce damage:
    -Randomised memory allocation.
    -Allocated special data space marking-blocking any execution of code (DEP)
    -ASLR prevents code from loading at the same place all the time preventing malware from predicting and thus targeting applications.
    -SMEP and others.
    Of crucial importance, however, is that all this is happening before the user has installed that first virus scanner on windows.

    Lastly I would like to point out that a phishing email or phone call threat is not relevant to operating system. A user with rudimentary computer knowledge would not be any more protected on linux from phishing attempts because these attempts rely on user knowledge level, nothing to do with a systems security capabilities.

    The question: Should you use a virus scanner on Linux?
    Irrelevant. All systems are vunlerable.
    Right question: Should you spend time to secure your system?
    Answer: yes.

    1. Oh I never really talk about security except when it becomes a trade off for usability. So I often ask things like "What are you really protecting?" but in the case of malware it's downtime. So back when I used to use Windows, this was a fairly frequent thing - despite various precautions.

      As for the most dangerous threat - I disagree. The threat you cannot see? No! It's almost always ourselves. Whether it's seeing a command on the Internet and now understanding what it does before throwing it into bash, putting an unintended "/" or "." in or something else. Why else would undelete tools have been so popular?

      But yes - I get the point. I often wonder how people would know if they had a rootkit.

      It's almost 3 am here so I haven't really read the whole comment. There's some stuff about cost - software and resources (and the extra processing power) vs. a Linux admin.

      In the last 2 years I was responsible for 1,600 netbooks all with Ubuntu installed in 7 schools. Not a single piece of malware in that time (I'm still involved in the project though I'm concentrating more on the development side of things). So administering 1,600 machines, 7 different sites, and still doing some development. The cost of 1 admin, spread over 8 different entities (the 8th entity being a trust set up for this project) is negligible in comparison to the yearly licensing fees on a virus scanner for all 1,600 machines, the sacrifice in user experience due to the processing consumed by the virus scanner and that's while not mentioning the other issues like ridiculous start up times.

      The rest of a response can wait until I've had some sleep (which I don't think will be happening until tonight... so Saturday...).

  3. You said "As for the most dangerous threat - I disagree. The threat you cannot see? No!"

    You admnister 1600 computers and you disagree with security 101?

    Not a single administrator I have worked with would every utter such words in fear of taboo. I would rather take up burger flipping than to think of such neglegence, especially with the responsibility of 1600 'net books' of all things in "7 schools" and you are concerned about 'startup times'....and you still have time for 'developments'

    Like I said, I posted my comments so you could learn something from it. That is your choice and there is no need to type anymore response, please. Have a nice sleep, you will need it to administer 7 different schools.

    1. Dude... really?

      Okay - given that you don't seem to understand security at all, I've written this post:

      Secondly, if you're going to comment here, I'd rather you showed at least a modicum of respect. You admitted you just kind of stumbled on to this post - though that's absolutely no excuse. Random strangers at a bus stop show more respect. If you want to know about my "1600" 'net books' and "7 schools", ask... Check out and

      Don't reply. I'm well and truly sick of your attitude.

    2. Congratulations on your award Nevyn.

      I dont think respecting a blog posters opinion is an issue here. You have written something that is open to public, and if there are inaccuracies, some people may take time to explain it to you. There are inaccuracies in these, so perhaps you could respect the time your poster/posters might take to help you identify them. If you really wish me to discontinue, then this will be the last post to your blog. It is your blog after all.

      The issue is not about the project, obviously. The maniakalani project is absolutly fantastic for what it does for the less privledged children. Infact full power to the project. It is projects like this that is needed world wide because children are the future.

      It is really about what you posted which isn't entirely correct since it attempts to favour opensource using information that is not correct, with nothing but non linux operating system bashing. Now I see this is from your involvment with open source. Once again the choice of open source or non open source is not relevant, as long as the children are getting all the opportunities. Microsoft for example is also heavily invovled in education programs and heavily discounted software for use by students. The more companies that get invovled in helping children the better.

      Not to disgress too much, I direct your attention back to "virus" and security relating to "malicious attacks". Your other new blog post is unnecessary. Security is a broad spectrum which are catagorised in itself. Your new other post focuses on user related errors which is not the same as security actually.Hence your new blog post is completely unnecessary. Mechanisms always need to be setup to stop those kinds of damage and this will happens whether it is open source or not. Hence there is no advantage to going open source in those regards.

      I am not entirely sure you completly grasp security and a few other inaccuracies I noticed on your many other blog posts -yes i have read them. In one you talk about Excel and Databases as if they are mutually inclusive and interchangable. They are absolutely not.

      Indeed the number one threat to internal breeches is the neglegence of the users of the network. Black hats will exploit this but we aren't talking about that are we, we are talking about your virus idea and how linux might be security superior to windows(it isn't). There is when you ask yourself what is the most dangerous threat and it is simple, it is the one you cannot detect. When setting up security for any system you ask yourself these and many such questions and then do the best you can with it. It is something I am trying to explain to you, which may even lead to a much nicer conversation that could help you enhance your involvment in your project. In reviewing my second post to you, I'll admit I was perhaps a little harsh, and for that, sorry.

      Do you want to learn more Nevyn? I have over 18 years experience in Linux, Windows, enterprise and distributed systems, and software development.

  4. Okay - so there are inaccuracies in there. I don't attempt to be terribly accurate. I would much rather be known for social reforms rather than my technical ability.

    I genuinely was asking the question "Should you use a virus scanner on Linux?". Before writing the post I asked a couple of people - "are they at all concerned by viruses on their Linux Desktop machines?" Perhaps I should have been a little clearer on the fact that I'm talking desktops. One came back with "No. In fact, I never ran a virus scanner when I was using Windows" which wasn't all that encouraging. A few more answers of "Nope" came through. We're constantly told that every system has vulnerabilities BUT to me, it's never really been quantified. Is there a lack of viruses for Linux just because it's not all that mainstream? And if that's the case, shouldn't we be seeing a sharp increase in viruses given the popularity of the Linux kernel in other systems such as ChromeOS and Android?

    So the blanket statement of "every system has vulnerabilities" has us thinking that every system has the same amount of vulnerabilities. Is this really true? A graph, numbers, anything other than a ambiguous blanket statement will probably have me looking into virus scanners to figure out which one to use and recommend to people.

    What happens with those vulnerabilities when found? Does the whole sharing/caring nature of FLOSS have more of those vulnerabilities being pointed out in good faith or are the number of people willing to exploit those vulnerabilities in the same ballpark?

    This leads me to other comparisons that I believe to be erroneous. Namely the amount of time in administration.

    If I was able to deal to 1,000 users face to face (remotely only works in certain situations - the people of a decile 1 community are MUCH better with face to face contact) on a weekly basis with the last 600 or so being more responsible for seeking out technical help (dropping off their computer to a certain spot), and having absolutely no faith in being able to accomplish the same in Windows (I acknowledge that this could possibly be more of an indication of my ability), then I am of the opinion that the admin time required for a Linux desktop is quite a bit lower than that needed for a Windows environment (though, as previously stated, there are flaws with that opinion).

    Which is kind of neither here nor there because...

    Given the opportunities in outsourcing these days, I'm of the belief that the administration costs are actually a hell of a lot smaller than they used to be. So with that in mind, if you're able to have your data online, then the desktop should then be about being up and running. So operating without malware, being able to get up and running at the beginning of the day is placed as a priority to me.

    This also means that there should be a fallback position should something go wrong (and that fallback position should be something that a user could do) - whether that's a rescue partition or reimaging - something that gets the user up and running in a minimal amount of time.

    I still maintain - that the unknown vulnerability is less of a threat than the vulnerabilities that you know are there but that you can do very little about them (because you can be guaranteed that EVERYONE knows about those vulnerabilities). This doesn't mean I don't understand security 101 (that really was condescending).

    Perhaps in a few years time I'll be getting phone calls from "Linux" telling me I have a virus...

    1. As for my dislike of spreadsheets (Excel is used as an example because this is the one I've seen used in most small businesses): Spreadsheets are a fantastic presentation tool and they've got a low barrier of entry in terms of "making a sheet".

      Where they fail though is that those sheets are then used for years for storing mission critical data. Most of those sheets show up the flaws in a flat data structure and would greatly benefit from a more relational structure. Not only that, but you're relying on everyone who has access to that sheet to keep that data consistent. How many offices around the place rely on a secretary/other admin person to operate as a bit of an Information Management System on these spreadsheets?

      So, while spreadsheets still have their place, I think the default position should be with a view of putting in a database with a web based front end (which means that there's only ever the one way to interact with the data). This requires work - the barrier of entry needs to be lowered for producing front ends and the tools for making a database made a whole lot easier.

      Just like I acknowledge that Windows has a place, mainly for it's management for corporate type desktops and the like, I am still of the opinion that most users would benefit greatly from using Linux on their home machines. Spreadsheets have their place, but the way they're used is at times just silly.

      It's all about balance...

    2. Part 1:
      "Okay - so there are inaccuracies in there. I don't attempt to be terribly accurate."
      Now you are being proactive and realise there are things you need to still understand, this is very good.
      Since you have tried to have a conversation for a change, I will answer some of your questions.
      "We're constantly told that every system has vulnerabilities BUT..."
      Study the list of breaches on a number of different systems, it will quantify itself.
      "Is there a lack of viruses for Linux just because it's not all that mainstream...Android?"
      Firstly there has been a virus for android so that already answers your query. The idea that a system does not have as many threats because it is not mainstream is a valid statement, but there are also other factors which can reduce a systems capability to be susceptible to viruses. I will explain. A system which is not mainstream will have the attention of less malicious attacks because there is less advantage to gain from it. Proportional to that the more clever black hats will be favouring the mainstream systems and so any vulnerability on a non-mainstream system will remain unknown until such a time when someone pays attention enough to discover it.

      Linux/chrome may be slightly gaining market share, but they aren't there yet. Attacks on a system are not linearly proportional to its popularity, far from it. I.e a system increasing in popularity does not cause a proportional increase of attacks on it.

      "So the blanket statement of "every ...amount of vulnerabilities."

      The statement is correct, but you have understood it incorrectly. The statement does not focus on quantity of breeches, just that a system can be breeched.

      In regards to your FLOSS comment, not sure what you are saying here so I will make an assumption. I assume that you mean open source patches for vulnerabilities occurs faster than propritary. This was true a few years ago and did provide an advantage to open source, however it is no longer true.

      "I am of the opinion that the admin time...there are flaws with that opinion)."
      There are absolutely flaws in that opinion ;) especially with today’s ability to apply virtual servers and in an increasing number of business ‘ RDP is is getting popular over VPN, and so far I have seen only Windows enterprise servers able to excute this smoothly. Read that carefully; this is not saying unix and linux is not capable of working with it.

    3. Part 2
      "Given the opportunities in outsourcing...used to be."
      Out sourced Administrators? That’s new. No :). I will explain. It only applies to temporary projects such as the one you are engaged in, where individuals do not need much qualifications nor be experienced administrators. In your case your job from what I can ascetain is to do basics such as image distros, possibly repackage as well, and script installs. So in your environment, outsourcing "technicians" is an advantage.

      "I still maintain - that the unknown vulnerability is less of a threat than the vulnerabilities that you know are there but that you can do very little abo..."
      It would be silly not to patch known vulnerabilities first but you miss the idea I have been trying to explain. You cannot patch a vulnerability you do not know about however you need to be able to *think* about how you can reduce the impact when it happens. I will explain.
      You are running apache and it is tied to MySQL in order to provide interactive user data. You have patched all the known vulnerabilities, however that database is a problem should a breech occur in the future. So you think, well that’s ok you will just place Apache in a root jail. Not quite so simple, MySQL does not like this and even so, the DB is still in the same virtualised root space. Solution: limited access to MySQL on a different server which may be a VM on the existing server. There are other mechanisms more elegant than this, but this is a 'proof of concept' only. This kind of thinking happened because I thought about how I am going to protect the database. In reality, just running MySQL on a VM or different server won’t fully protect it. I'll leave that as an exercise for you. :)
      In your blog titled “computer security” you talk about level of security based on what you need to protect. This is somewhat true but not entirely, especially when it isn’t you who decides what data is important and what isn’t. Hence for any data that is deemed important, you need to apply PLOP, Gold and CIA.

      A very common rookie mistake is to have very little knowledge about something, apply your own version of what it should be instead of the accepted tried, tested and solid standards, and then proceed to work on it. It is these types of admins who get caught with their pants down. You’d be surprised how much this happens.

    4. Continuing with your second reply…
      “As for my dislike of spreadsheets …Spreadsheets are a fantastic presentation tool and they've got a low barrier of entry in terms of "making a sheet".”
      Spread sheets are not ‘fantastic presentation tools’, that’s the domain of Powerpoint/Libreoffice.Impress/etc. Check out the history of why Dan Bricklin created visicalc, and its iterations and transformations today and you will understand, and hopefully start to like it.
      “Where they fail though is that those sheets are then used for years for storing mission critical data.”
      This is not a fault of the spread sheet.
      “Most of those sheets show up the flaws in a flat data structure and would greatly benefit from a more relational structure.”
      Data is never flawed. Data is simply has no meaning unless it is information. Data and information are mutually exclusive. Every piece of data has to be transformed, integrated, be non-volatile, and be appropriate to what needs to be analysed. So not all data will benefit from a relational structure of an RDBMS. For instant analytical information must not be stored in an RDBMS, but data it processes into information can be stored in an RDBMS. Above I said data is never flawed, this is true, but GIGO still applies and will show up at the user end of data is allowed to be garbage.
      “Not only that, but you're relying on everyone who has access to that sheet to keep that data consistent.”
      If this is important for the data, then yes it will benefit from being relational, although you wouldn’t do it for a lemonade stand, bit of an overkill ;)
      “How many offices around the place rely on a secretary/other admin person to operate as a bit of an Information Management System on these spread sheets?”
      It depends on how the business is setup, and the size of the business. It is also dependent on the importance of that data, for instant a doctors patient information.
      Most business’ will use a CRMS with the front end tied to a relational database. Smaller business may opt to use a single file DB such as MSAccess. I have written front ends which let the DBMS do the necessary processing, take that data and display it in an excel spread sheet. The front end provides a nice user interface but the DBMS and the front end hide those ‘opps’ moments. Data entry is controlled, guided and limited.
      “…and the tools for making a database made a whole lot easier.”
      You don’t make a database, you design it. Tools for designing is plentiful, it just needs to be used by someone who knows what they are doing. This involves lengthy meetings with clients and a lot of writing, identifying the stake holders, and the actors. The DB is then designed and built by a skilled DBMS designer, not the end user.

    5. You really can be condescending. I really do try not to get stuck on semantics (you should give it a try). If I understand a religion to be about tolerance, I do not get stuck on the one passage that seems to be counter to the general theme of that religion.

      The original question was "Should you use a virus scanner on Linux?". I would put it forward that there are some advantages to FLOSS that make a virus scanner less needed - such as having the control, at a very low level.

      So - you admit that the statement around all systems having vulnerabilities makes absolutely no assertion to the number of vulnerabilities and thus, I can safely assert this to be an advantage of Linux over Windows - while it has vulnerabilities, they are, thus far, not breeched as widely as Windows.

      You misunderstand the intent behind my comment around the path taken when a vulnerability is found in Linux. The speed of updates (From recent experience, I've found Mac OSX to be abysmal on this front) is less of a concern than the course taken. I can be fairly well assured that a vulnerability will be exploited in Windows. I wonder if this is still the case in a FLOSS environment as the social conscience is quite different - this is a hypothetical question with my idealist hat on.

      No - not outsourcing administrators - outsourcing options around services. If your files can be managed by (dare I say it), google drive or dropbox (just to cover a few of the options around file servers) and thus concerns around backups (offsite) and security are effectively outsourced. The cloud experience is becoming more ubiquitous as time goes on with javascript featuring largely on the desktop.

      I would really rather you didn't make assertions as to what I did for the Manaiakalani project.

      As for the spreadsheet discussion - I try to talk about what happens and the reality is that because a spreadsheet has a very low barrier of entry, it is easy to design it your needs with no eye to consistency or integrity. Information (data) can be imperfect (that's semantics and you know it) and outright wrong. I'm a fan of enabling people to do things for themselves. So if a database front-end was easy to build and the database itself designed by someone who knows the business logic (without having to understand the difference between a varchar and varchar2 etc.) then you'd have the best of both worlds. Data where information has meaning and have it built from within the company concerned without the inhibitive costs of a contractor to build it for them. No - a spreadsheet is not a database. In most of the cases I've seen in small (under 50 employees - but usually growing) a whole host of spreadsheets are being used as a information system with a secretary doing the management of that information - all better suited to a database. My assertion is that an end user SHOULD be able to build a front end and design a DB - the logic isn't that difficult.

  5. "So - you admit that the statement around all systems having vulnerabilities makes absolutely no assertion to the number of vulnerabilities and thus, I can safely assert this to be an advantage of Linux over Windows - while it has vulnerabilities, they are, thus far, not breeched as widely as Windows."

    What a load of cobblers. Like the rest of your blogs. Especially your large self promoting spurge here:

    I hsave tried to help, but since you display arrogance and are generally irritating let me put you in perspective after assimulating information present in your blogs.

    -You are mostly unemployed.
    -Doing contracts lasting one or a few months but less than a year in various places.
    -Your current work is really nothing to do with administrative work, even tho the contributions are major for the project itself(which is why you got awarded, and rightly so). Probably the longest in any "it" related work.
    -Your work with the FLOSS group I cannot comment on, but it wouldnt be as an expert on security.
    -Your claim to even be knowledged in software developement yet in one blog you claim procedural language is better than Object orientated in "some" situations and cite "stability" as a reason. More cobblers, and evidence you have absolutely no idea what OOP is.

    There is no evidence of any solid secrity or development work but you claim to be an expert in it when I]in reality you do not know anything.
    And yes you do claim to be an expert hence your "special" computer security post. It is ironic that you claim how you dislike people who try to validate their own need for attention. IT seems you are simply describing yourself and I prove this with your own blogs.

    As for continuing to tell me I havent answered your blogs question, try reading, it really works. My first post in very great detail answers it.

    Look, I posted here thinking you have "some" knowledge and needing some guidence, but instead you have been insulting, arrogant and plain silly.

    I'll leave your blogs to you so you wont have to worry about reading accurate information again. Good luck with your future.