My Pet VirusesIf you’re running Linux the chances are probably pretty good that you’re not using an antivirus application. This is a common practice among personal Linux users since viruses aren’t as rampant as they are on Windows.

There’s no doubt that the viruses still exist for Linux, and that is cause for some people, especially corporate users, to want an antivirus solution that works well. Untangle took it upon themselves to try 10 of the available antivirus applications for Linux. They did it live at LinuxWorld where they tested 18 known viruses. Many of these have been in the wild for quite some time (some even years), and so it was expected that all the applications would catch them. As it turns out only Kaspersky Linux, the open source Clam AV, and Norton finished the test at 100%!

None of those were zero-day viruses, and so they did another test that contained user samples. They weren’t completely sure as to what those viruses were, but they said they were "fairly confident some were newer “zero-day” viruses, and some were ‘custom’ viruses." In the end these were the overall results:

Antivirus on Linux

Here is the response from Untangle regarding the results:

As always, we are surprised by how poor many of these solutions are performing. Contrary to many statements, Clam is a top performer, and also ran 10 times faster than many solutions. Kaspersky is clearly an excellent engine, and Norton also performed well although it consumed lots of resources on the test machine. The rest of the solutions, some of which are quite expensive, were mediocre to terrible.

This raises many questions… Why has no one publicized this? What is wrong with the way we are testing antivirus solutions? Why do some testing labs claim Clam does significantly worse than commercial solutions?

According the results of this test the best price vs. quality application that you could use is Clam AV. It’s free, consistently ranks high, and the people running the tests said that it is about 10-times faster at scanning than the comparable solutions (some of which are commercial). I was a little disappointed that they didn’t try out other free programs like Avast! for Linux or AVG for Linux, but they did make their set of viruses available so that other people can run the tests themselves.

Thanks for the tip CoryC – via SlashDot

There Are 13 Comments

  1. It interesting that Norton performs about the same on Linux as it does on Windows, both in term of using lots of system resources and the effectiveness of it’s engine.

    What surprises me it that the person who conducted the test said, “…Norton also performed well.” 88.6% is not a good performance for an antivirus application that’s trying to catch KNOWN viruses.

    Everyone say this with me: 88.6 percent is not good enough! Symantec is one of the largest security companies and they offer a mediocre product. As long as the are given a pass for poor performance it will continue.

    • Norton catches 100% of KNOWN viruses and 88.6% of CUSTOM/UNKNOWN viruses. It’s completely fair to say that “Norton also performed well”. However, I’ll stick with ClamAV as Kaspersky is costly and ClamAV is free and fast.

      > Have you ever had a virus that snuck in without requiring you to take any action?
      Yea, I had. It was on Windows with Internet Explorer, too many sites opened, and some of them were bad enough to put viruses on the computer. After this I always have resident shield enabled, use Firefox and visit only more-less trusted sites.

      However, even New York Times had an attacker jumping from advertisement recently.

      If there was a hole in the browser, a skillful attacker could have easily put virus on the computer.

      Say, create a virus for hiding in images, edit images in Wikipedia, and everybody looking at them has a risk of being infected. Fortunately, there are no such holes in image readers now so this vector became impossible. And the vandal would soon be blocked.

    • I wouldn’t want to fly on an airline that landed successfully 88.6 percent of the time.

  2. Well I am not surprised by the results for kaspersky or Norton. symantec has been shipping a sub-standard product for ages now and i personally use AOL active virus shield on my windows machine and i am extremely happy with the Kaspersky engine. What surprises me is the performance of Clam AV. Have to try it out on my Kubuntu installation.

  3. Norton caught 100% of the known viruses, it wasn’t until they mixed things up a bit that it missed some of them. They said that they took user samples of some viruses, some of which they believe are zero-day and custom made, and that’s where Norton missed a few.

    But I agree, being that it is a large company that is seen on many corporate machines it should be catching much more than that.

  4. Sweet article, and very informative. Thanks for the info, although currently I don’t use and antivirus on my laptop (Ubuntu 7.04) I should look into AVG or ClamAV.

  5. I was surprised that there were so many readily available viruses for Linux, I’d always thought the only reason to run AV on a linux box was if it was a mail server for windows machines. So I downloaded the test set to my trusty linux machine and… They Were All Windows Viruses!… Linux won’t do much with those exe files.

    If you want the viruses, or an excel spreadsheet listing them by name, they can be found here: [virus.untangle.com]

    Daryl

  6. Correct me if I’m wrong but although these scanners are made for Linux, they only detect Windows viruses. Therefore such a scanner would be unnecessary as these viruses can’t do any harm in a Linux environment. Unless you use a dual-boot system and regularly access your Linux partitions on Windows and vice versa.

    If you install system updates as soon as they’re available (most Linux distributions come with an updater system), the chances of you getting a Linux virus is very small.

    I for one have never used a virus scanner on Linux, and I have never had to do with a virus yet. And remember: viruses cannot activate themselves. The user needs to go to a malicious website, open a certain attachment or execute a certain file first in order for the virus to start doing its job. If you’re smart enough, you don’t need a virus scanner, even on Windows. Yeah, you should do it (at least on Windows) to be on the safe side but think about it: have you ever had a virus that snuck in without requiring you to take any action? Probably not. These antivirus products are a rip-off, unless you’re using a free product of course. :)

    • > Have you ever had a virus that snuck in without requiring you to take any action?
      Yea, I had. It was on Windows with Internet Explorer, too many sites opened, and some of them were bad enough to put viruses on the computer. After this I always have resident shield enabled, use Firefox and visit only more-or-less trusted sites.
      I understand that it means that I went to malicious websites. But… A skillful virus writer could have put virus even on a completely trusted site (say, become an advertiser on Yahoo! mail, use Flash and exploit one of its vulnerabilities).

      Even New York Times had an attacker jumping from advertisement recently. The attacker was silly enough to use social engineering: it’s workable with some people, but it led to him being noticed and removed from this position.

      If there was a hole in the browser, a skillful attacker could have easily put virus on the computer.

      Say, create a virus for hiding in images, edit images in Wikipedia, and everybody looking at them has a risk of being infected. Fortunately, there are no such holes in image readers now so this vector became impossible. And the vandal would soon be blocked.

      Position of an advertiser on a well-known site is still the most comfortable. People will hardly connect a virus with a trusted site, if the attacker is skillful enough and has a zero-day virus.

    • @Pieter, quote: viruses cannot activate themselves
      (Windows based) Some viruses can run itself by autorun file. To keep a rescue disk from one or two vendor is better than slow down your system with antivirus installed

  7. @Pieter: You may be right that the scanners detect only Windows viruses, I’ve never actually checked if they tackle non-win ones as well. But even if that’s the case – THIS is the point of them.
    I’m running different flavours of Linux and Windows on my machines and all of them have anti-virus soft installed.
    Why?
    Because the last thing I want is to pass infected files (ie: just by forwarding an email). This is extremely important in business cases.

    And generally:
    I’m surprised that there is no mention of NOD32. I’m using it [read: my clients use it] on Linux mail and file servers in mixed OS environments (+ on Linux and Windows workstations) and I know I can sleep easily.

    It would be good to get similar comparison with NOD32 included.

  8. HI, I USED CLAM AV ON UBUNTU9.10 IT SAID THAT THE ENCRPYTED ZIP PACKAGES HAD VIRUSES IN THEM THESE PACKAGES WERE OFFICIAL UPDATES FOR UBUNTU. COULD THEIRE LINUX SERVER BE CONTAMINATED WITH VIRUSES? I ALL SO HAVE A FIREWALL INSTALLED ON UBUNTU 9.10

Leave Your Comment


Message is the only required field.
Emails are not published.