Linux has a well deserved reputation for being an extremely secure operating system when compared to the alternatives. Linux and other operating systems based on Unix have a permissions model that makes it very difficult for malware to carry out the sort of changes to the system that would be useful to malware creators, so, for the most part, users of Linux servers don’t have to worry about “getting a virus”.
However, it’s not true that no malware exists for Linux, nor is it the case that Linux and the software it runs is totally impregnable to hackers. Malware that attacks the operating system itself is mostly “proof-of-concept” software that has a very low success rate in the wild, but, as with all software, vulnerabilities are occasionally discovered in the kernel or in the software that Linux servers run: the Apache web server, the PHP scripting language, or the SSH server, for example. We’re going to have a look at why you might want to install Linux malware scanners on servers, and run through some of the available options.
Why You Need Linux Anti-Malware Software
Serving Files To Windows Users
Microsoft Windows is more secure than it once was, but it is still vulnerable to malware infection, both because of its popularity and because of the relative lack of technical sophistication of its users (statistically true, but not true of all Windows users). If you’re running a site or service on your Linux server that allows the exchange of files between Windows systems, an email server or a forum, for example, then it makes sense to scan incoming and outgoing files so that your server doesn’t become a distributer of malware to more vulnerable systems.
Some areas of business, particularly those that handle privileged information, medical data, or financial records, require that all servers used to store data have anti-malware software installed.
Potentially Vulnerable Internet Facing Services
As I said earlier, no software is invulnerable to hackers. Zero-day exploits are occasionally found in software like Apache and SSH. On occasion, privilege escalation exploits are discovered that allow hackers access to a root shell and in that case they can install any malware they choose. The best way to deal with vulnerabilities like this is to keep your Linux distributions up-to-date — in the open source world patches are usually issued very quickly for disclosed exploits —, but, it’s always possible that a hacker has found a vulnerability that more scrupulous researchers have not.
Linux Anti-Virus Software
ClamAV is probably the best known open source Linux anti-virus scanner available and is frequently used on mail gateways. It can detect trojans, viruses and other malware, and is especially useful for making sure a Linux box isn’t spreading malware to Windows systems.
Linux Malware Detect is a malware scanner designed particularly for use in shared hosting environments. It generates its malware signatures from “network edge intrusion detection systems” as well as community resources and user submissions.
Cxs is used to scan for potential exploits in files as they are being uploaded to a server.
Once a hacker breaks into a system, he or she will probably try to install a rootkit. Rootkits replace key parts of the Linux software stack with modified versions that can be controlled by the hacker. To the users of the server they will look like the standard set of tools, but once a rootkit is installed the server can no longer be trusted. Rootkit Hunter will scan for rootkits, backdoors, and other local exploits.
This is only a handful of the available Linux anti-virus and malware protection tools. Feel free to share the tools you’ve had positive experiences with in the comments below.