Linux refugees from other platforms are accustomed to the need for continuous vigilance against viruses and other malware. Always-running robust antivirus software is a simple, if annoying, necessity of life for Windows users, and is highly recommended for Mac users.
With Linux, however, the usual advice (including, for example, the official Ubuntu advice) is that antivirus software is not needed. And, despite the (very rare) existence of malware that targets Linux systems, antivirus software can endanger your Linux device. This is a view we endorse. This can make the fact that Linux antivirus programs exist rather confusing. So let's drill down a little deeper.
The caveat here is that we are talking about home systems. Securing Linux servers is beyond the scope of this article, but the main purpose of running antivirus software on Linux servers is to prevent files shared on the servers from infecting Windows and Mac machines, rather than protecting the Linux servers themselves.
Why don’t I need a Linux antivirus program?
1. Popularity (or lack thereof)
Linux has a desktop market share of around 1.8%. It simply isn’t worth a techno-crook's time developing malware that targets its users. Windows (88% market share) is the obvious low-hanging fruit, although Mac (9.3% market share) malware, while still rare, is becoming more common.
2. Most Linux software is installed via a distro's “app store”
And the chances of getting malware from software cataloged by your app store are virtually nil.
3. Linux is secure by design
It is very rare to login to Linux as a root user, meaning that malicious software cannot execute itself without your express permission (i.e. entering a password).
Besides this, in most distros the open source Linux kernel is usually protected by a Mandatory Access Control (MAC) system such as AppArmor or SELinux, which limits what programs can do.
4. Antivirus software can actually be dangerous!
Antivirus programs can be hacked, a problem compounded by the fact that because of their very nature, they require many high-level permissions to do what they do.
This is also true on other platforms, but the risk of malware is that much greater on other operating systems that the need for antivirus software easily outweighs any such concerns. When the risk of malware is almost non-existent with Linux, though, anti-malware software itself should be viewed with suspicion.
Does Linux malware exist?
Yes. But the bottom line is that it is so rare that the cure is arguably more dangerous than the disease. And no root kits that affect desktop Linux systems have ever been found in the wild.
Does Linux anti-malware exist?
Given this situation, and given that almost all reputable sources recommend against the need for using anti-malware products, it comes as something of a surprise that Linux antivirus products exist (although several high-profile and still often-recommended options have quietly died in recent years).
The strongest argument for using anti-malware programs in Linux is to protect Windows and Mac users from malicious files that you might unwittingly pass on.
This is the main reason the use of antivirus apps is a higher priority on Linux servers that store large numbers of files uploaded by users of other platforms.
If, despite all this, you are worried that a virus may infect your Linux system, then options are open to you.
What Linux antivirus exist?
The first port of call for most Linux users who decide they really need an antivirus program in their life is the free, open source, command-line only ClamAV.
In the 2008 AV-Test, ClamAV was initially found to be largely ineffective with many false positives. By 2011, Shadowserver discovered that ClamAV was able to detect 76.60% of malware when tested against 25 million samples, placing it 12 out of 19 of its rivals. Later in the same year, during a six-month test, ClamAV detected 75.45% of samples over the course, placing it fifth behind AhnLab, Avira, BitDefender and Avast. Unfortunately, most of this information is outdated and we cannot find any modern tests on the effectiveness of ClamAV, so take this data with a pinch of salt.
ClamAV can be downloaded using your distro's standard package manager (for example
sudo apt-get clamav on most Debian distros), or can be downloaded as tarball from the ClamAV website for those who prefer to compile their programs from source.
You will probably need to read through the documentation to use ClamAV correctly, but it provides real-time system protection, plus on-demand and scheduled scans.
ClamTK is a graphical front-end for ClamAV. It’s available from most distros’ app stores, or you can download it directly from ClamTK GitLab pab page. Fedora, CentOS 7, and CentOS 8 .rpm packages are available, as are Debian/Ubuntu .deb and tarball packages.
The standard ClamTK package includes ClamAV, but if you already have ClamAV installed, you can install the ClamTK GUI on top of it using the following command:
sudo apt install clamtk
Sophos Antivirus for Linux
Sophos is a cybersecurity company that develops commercial antivirus products for Windows, macOS, and Android. In its 2019 analysis of 250 of the top Android antivirus apps and services, AV-Comparatives found that Sophos detected 100% of its test malware samples.
Sophos Antivirus for Linux is a much simpler piece of software that, once installed, sits quietly in the background monitoring your folders and only showing itself when it detects a problem.
It has no user-selectable options or features, although you can edit a config file to specify which folders the software scans. The community-supported version is a closed source but free, or you can opt for a paid-for officially supported version (we’re not sure of the pricing for this).
Sophos for Linux is downloaded as a tarball that can be installed on any Linux distro using an included install.sh file.
ESET NOD32 Antivirus for Linux Desktop
ESET is known for its fully featured and rock-sold antivirus products for Windows and macOS. In its 2019 analysis, AV-Comparatives found that ESET software detected 100% of its test malware samples, a finding borne out by AV-TEST’s 2018 report on ESET Cyber Security Pro for Mac, which also had a 100% detection rate.
ESET NOD32 Antivirus for Linux is a much simpler affair than its Windows and macOS cousins, but it provides a full GUI with real time virus protection and on-demand or scheduled smart or custom scans.
ESET NOD32 Antivirus for Linux costs $39.99 per year per device, and is transferable across licenses between devices and platforms (Windows, macOS, and Linux). The package can be downloaded for most Linux distros (32-bit or 64-bit) as a .linux file that can be made executable.
Comodo Antivirus for Linux
This is also a closed source, but free for personal use antivirus product from big-name antivirus vendor Comodo. It has a GUI and can perform system monitoring and on-demand scans.
We failed to get it working in either Ubuntu or Mint, so can’t comment any further on what it's like in use. Others may have more luck. Somewhat concerning, however, is that AV-Comparatives found that Comodo software only detected 77.6% of its test viruses, placing it 10th last out of the 250 antivirus products tested.
Comodo Antivirus for Linux is available as a .rpm or .deb package for most popular distros.
While, for the sake of completeness, we have included a summary of the main antivirus options for Linux out there; we do not feel they are needed (and it may even be counterproductive to run on your system).