Wednesday, July 21, 2010

How useful is anti-virus in Linux? (Part 1)

In almost three years of using Linux, I've never come across any Linux malware.
I have come across two tales of Linux malware. I'm revisiting them now to ask: do these stories suggest that using anti-virus software is necessary or advantageous?
In December 2009, malware was found inside a screensaver on gnome-look.org. The malware was a "script with elevated privileges designed to perform a DDoS attack as well as keep itself updated via downloads".
The moral of the story was clear: don't install software packages from untrusted sources.
The malware script can be found in the Ubuntu forum post linked to in the story above, so I decided to save the script as a text file and send it to VirusTotal, to see how many if any anti-virus programs detect it. I found that somebody had already done this, a couple of days after the malware was discovered, and that no anti-virus program at VirusTotal had detected the script at that time.

I then hit the 'Reanalyse' button to see what the result would be seven months later.


This time, eight anti-virus programs detected the script as malicious.
The two points that can be made here are:
  • None of the anti-virus products on VirusTotal (which is most of 'em) would have detected this script as malware during the time it was available to download.
  • Even seven months later, only a small number of anti-virus programs would detect this malicious script.
To answer the question: is using anti-virus software necessary or advantageous in Linux? In the case of new Linux malware at least, the answer seems to be that anti-virus software has nothing to offer- caution remains the key.

No comments:

Post a Comment