Besides the good points you make in post 125 this is another good reason.

I tried to educate myself again on that debatable subject, does Linux have malware/viruses, and would it benefit from AV. I wasn't even sure are there other AV products for (home) Linux other than ClamAV, and I've gotten the impression ClamAV looks for Windows viruses so you don't send them e.g. as email attachments to Windows users.

These two 2024 articles contradict each other, one claiming AV is pretty much useless on Linux, while the other claims the opposite:

https://www.zdnet.com/article/do-you-need-antivirus-on-linux/
https://www.security.org/antivirus/best/linux/

The first article doesn't start too strong by using a weak argument that he hasn't encountered a Linux virus for 30 years (anecdotal evidence), but goes on to point out why he thinks that is.

The other article flat out claims "yes there are viruses in Linux and you need AV against them", but then I am unsure if that is a sales pitch or the truth. That article lists some Linux AV products, unclear to me if they will detect mainly Windows malware, or also malware specifically made for Linux. Maybe the user that really wanted AV for Linux should be introduced to that article, and the list of Linux AV products he is free to buy and use:

Bitdefender Antivirus - Best for Small Businesses
Avast Antivirus - Best for File Servers
ESET Antivirus - Best for Personal Use
Kaspersky Antivirus - Best for Mixed Platform IT Solutions

So problem solved, go nuts and purchase all those four AV products?

EDIT: That second article also contradicts itself a bit. First it claims that Linux has virus and malware and needs AV and the people on reddit who claim the opposite are stupid asshats... yet in the ESET review they go to claim:

"Linux is less vulnerable to malware than Windows...", without even explaining the reasons for that argument. In what way is Linux less vulnerable? But still vulnerable enough that one should definitely run AV on Linux?

If there really are Linux viruses out there which are spreading, I presume someone has a database of them, with descriptions how they operate? I would love to read such a database of Linux viruses. Are there viruses that run in Linux computer's memory without me knowing about them, and they keep stealing my bank account details and passwords, and they get activated every time I reboot my Linux computer?

Of course I guess it also depends how one defines malware? If someone sends me an executable shell script with the line "sudo rm -rf /", is that malware that AV should detect? Certainly it will cause me lots of trouble in case I run it.

Others read those Reddit posts, not finding good relevant examples (I didn't read them), but I thought I would just chime in and say that you don't have to go too far to find signs of this gatekeeping and elitism.

There is literally this thread here on GOG forums

https://www.gog.com/forum/general/i_ditched_windows_in_favour_of_linux

I know it seems like snarkiness, but it's in earnest. At least, I'm fairly sure.

This certainly happens out there, but really - does it represent more than a vanishingly small and vocal minority? I think so. Most people realise that nothing is going to happen to their precious distros if more Windows users jump ship. And if they do somehow "demand" changes with pitchforks, there will pop up a new distro to cater for the old farts, because freedom.

Maybe it is my lack of imagination then, but I just somehow have hard time understanding someone going like:

- "God damn that's it! I'm done with Windows. So how's that Linux thingie then I read somewhere, could I possibly switch to it?"

- "Yikes! Wikipedia lists several dozen Linux distros, and apparently they can have different GUIs too?!? This is just too much to bear. Back to Windows, now! Everything is forgiven, I love you Windows."

- "I can't possibly try Linux with so many available options because i'd have to first extensively go through each of them, learn them inside out, and only then make an educated guess which one to choose, maybe having to make an Excel chart listing all the good and bad findings in them."


I mean, it is still not some kind of life-long commitment. For some reason it didn't take much for me to just jump in to the first Linux distro I heard, test it out, and then either stick to it or maybe try something else. Especially when they can be tested even as virtual machines in e.g. VirtualBox, or as bootable USB sticks (without installation), or that one web page someone linked where you can test different distros online.

This is what i'm getting at, our own experiences aren't always indicative of how others might react and not everyone is like you or me who might be able to jump into something like a new OS easily. A good portion of the masses are more likely to either go it alone and end up thinking 'all the choices make my brain hurt, i'll just stick with what i'm using' or they'll get a few suggestions and somehow still be overwhelmed.

Now i'm not trying to say all the masses will be like that or that choice paralysis is the only reason or even the biggest reason why people don't adopt linux more readily, but imo it is still a sizable reason alongside the rest.
Given that some can't even pick new options easily when going out to eat or shop for groceries, I don't doubt some think like this.

Yeah it's a deep topic and I wouldn't expect a google search to bring a good take on it.

But yes, there is malware for Linux without any doubt.

The question is, how does it get on your system in the first place? And then how does it get to run? What makes it persist?

I think the historical argument is that if your security practices are up to date, then malware isn't getting on your system in the first place, or it will not be able to do much damage:

- You only download software from trusted sources. Packages are signed to prevent tampering. Your web downloads use TLS.

- Your software is up to date. Known exploitable holes have been patched. Simply using software won't put you at risk.

- You're not prone to social engineering. You're not going to open and execute a shady attachment from your boss. You're not going to pick up a random USB flash stick lying on the library desk and stick it in your computer.

- You run most applications as unprivileged user, not as root. Malware won't be able to install itself onto your system and hide its presence.

- You don't leave your device unattended where a malicious party could tamper with it

But of course we know that this kind of thinking is full of holes. "Trusted" sources could be compromised. Your software is as up to date as it is... between an exploitable hole making it to software and the update to fix it reaching your sytsem, there could be a huge window of opportunity for exploitation. And it may not be an attempt at social engineering but someone you know could give you malware unknowingly. Running applications as unprivileged user may not prevent the malware from using your computer to mine bitcoin, steal your ssh key, possibly log keystrokes or capture the screen (Wayland should make that less of an issue), etcetera. Plus, local escalation vulns are relatively more common and easier to exploit than remotely holes.

So how could one possibly know that they have not been compromised? There's really nothing in on the system that would alert you to a compromise afterwards. You might notice, if the malware behaves weird. You may not notice.

I think that if you do everything right, the risk is small. Small enough that I don't mind taking it; AV isn't perfect either. I would be OK running Windows without AV too (if I was OK with running Windows in the first place).

However, the world at large is full of people who simply don't know how to stay secure. People who will download and run whatever from shady sites, on outdated systems. People who click that link in their email where the Nigerian prince promises a fortune.. and yes, gamers who download mods and trainers and other arbitrary user-uploaded content scattered round the internet.

I'd say right now the likelihood of such a thing containing Linux-targeting malware is pretty small, but it wouldn't exactly be hard to pull it off if someone wanted to do such a thing. I'd say there are more lucrative targets (servers, routers, IoT), but I also think it's only a matter of time until somebody decides to target desktop Linux in this manner. Yea, horrible articles all around. Me too! And that's why AV really should be a last resort after every other security mechanism has been exhausted. I also think that's why the Linux community at large hasn't really warmed up to AV, even though the security mechanisms aren't exactly there yet, or at least not consistently applied.

AV could apply heurestics to try and guess what's malicious behavior, but that is very expensive and not reliable, plus it causes false positives. It can detect known malicious files, but it becomes a cat and mouse game where malware keeps getting mutated to try and avoid detection.

A much better approach is to have a security model where applications can't just do whatever they want -- for example, there should probably be no reason for any game ever to read my ssh keys, and they probably should not be able to log keyboard events unless the game's window is focused -- but it does take some setup to get there and it will inconvenience users, and there will be annoying permission prompts, and then you'll be annoyed at having to figure out *why* the application is requesting permission for such and such and such..

But you'd probably still need AV for the idiots who grant permissions to anything and everything.

So I'd say it's less a question of does Linux need AV, and more a question of does the user need AV? Unfortunately, I think the answer is that some users will need AV :(

You may notice that the security.org article specifies that out of those four Linux AVs only one is for home use, the others are for servers. And that one for home use is no longer available, so the article is awfully outdated. ESET was the one major AV that had a Linux version for home use (but only AV, not a security suite, the higher tiers, with firewall and other functions, didn't have a Linux version), but they discontinued it in 2022.

And, again, the discussion about a need for security software is besides the point. If someone wants one (*raises hand*), they want one. Maybe for a sense of security, which is a feeling, doesn't respond to arguments. Maybe to have a single piece of software to use for system monitoring and control, not necessarily for security purposes. Probably both, and maybe more than that.
And besides, as Linux market share grows, it becomes a more interesting target for malware makers too, and they'll find ways around the built-in security measures, I'm sure.
You were seeing someone who said that it was "a hard requirement" for them to have a good AV to make the switch and won't take any chances otherwise and people telling them they shouldn't want what they want. The OP made their stance perfectly clear, if they are to switch, they must use something like that, so the valid answers would have actually answered the question, saying what to use, not tell them to stop wanting what they want.
Admittedly, I read the other thread first, where someone is asking how to make a system image backup on Linux while the system is running, like you can so easily do on Windows, and they're told it can't be done and that it must be a language barrier problem if they don't get it that it's just how Linux is and, more notably, that it's not a problem or something that Windows does better, when it so obviously is. So seeing that reply that you quoted in that other discussion was pretty much the last straw, but the general attitude is the same there too, and I already explained above what the problem is. The OP asked a clear question and stated very firmly that they need that to switch, yet they're told they shouldn't. Well, they do, so any argument to the contrary is quite literally a "your kind isn't wanted".
Exactly.
I don't find prompts annoying, I find them necessary, don't want software to make decisions for me. And in that sense Comodo's HIPS is a great approach for me, it monitors quite a bunch of things a program may do and if it's not trusted it will warn and prompt. It doesn't scan it against some definitions list, it doesn't try to determine whether the action is malicious or not. (At least in the free firewall, assume the AV also scans and the suite does even more, but I don't have those, and the version of CFW I have is very old anyway.) It just monitors and lets you know, then you can say whether you want to allow it or not, and whether to create a rule of not. And that makes it a very nice system monitoring and control tool, doesn't have to do with security. I mean, hell, I can count the malware I had on any computer I used on the fingers of one hand, and I believe a single piece of it actually was active, but using security software to monitor what's going on and, often, stop programs from doing things I just don't want them to do, even if for no other reason than just because I don't? That's on a daily basis, to not say actually constant basis...

Any idea why they stopped offering a Linux version? Some technical reason, their Linux virus database was empty, or just because no one was willing to buy it?

Also why do you feel such AV should have firewall functionality as well? For what specifically, e.g. to limit connections from your PC to the world, not the other way around? Isn't the existing firewalld or ufw in Linux enough?

I am genuinely trying to find out is there a real need for AV software on Linux, are the virus and malware on Linux that such software would stop, etc. For instance, does anyone keep a database of such Linux malware so that one can see how many viruses and malware there are specifically for Linux, and how they are supposed to operate, what are their attack vectors etc.?

Is there even a theoretical possibility in Linux e.g. that you get an email with an attachment disguising as a Word file, or a link to a site, which suddenly infects your system with a malware and encrypts all your files and demands one zillion bitcoins to decrypt the files? (something I've seen first hand on infected Windows servers, for example; unclear to me though how exactly the malware got there, was it through some web server software exploit or what...). Or runs in the background every time I start the machine, logging all my keystrokes, passwords etc.?

Or is it in practice impossible to achieve on Linux because reasons x, y and z, e.g. because the way Linux handles file permissions and shit, and practically no one does their mail reading etc. as a root user (they might do it as a sudo user though)?

So what would you have told the person? Do you have some Linux AV suite in mind you would have recommended to him, or said that he should not use Linux at all because there are no AV suites for Linux (without analyzing whether there is a real need for such on Linux)?

Would you have possibly mentioned AppArmor and SELinux, to ease his mind? If not, why not?

https://www.techtarget.com/searchdatacenter/tip/Compare-two-Linux-security-modules-SELinux-vs-AppArmor

If it is the case there is no practical need for Windows-like realtime AV on Linux, to me insisting that there should be one is like insisting that he wants to use Linux, but doesn't want to touch command line (terminal) EVER, no matter what.

In such an instance, would it be preposterous and condescending to try to explain why such a requirement is not necessarily feasible (e.g. because of the wealth of desktop environments, and Linux installations without any GUI), and even rationalize to him why Linux instructions tend to be terminal commands, rather than Youtube videos or long illustrated web pages of how to do something in a GUI, like this over 12 minute video explaining how to change three (3) settings in Windows:

https://www.youtube.com/watch?v=zW69MisrsWk

So do you feel the main reason Linux users are "safe" for now is because they are not targeted, and after they are, they also get emails with fake Word documents that will encrypt their whole hard drive and steal their passwords with keyloggers? There are no technical reasons making viruses and malware on Linux overall just unfeasible?

Against my habits I am not being sarcastic here but trying to learn and understand this topic that never seems to get resolved, about the true need of AV in Linux, even in a theoretical level (ie. if Linux users were the main target of malware makers). Or is e.g. SELinux and AppArmor enough to thwart any such attempts?

I think you're reading too much into it.

One could simply say that -- as far as they are aware -- no such thing as what the OP Is asking for exists, and leave it at that. But that's a little blunt.

So most people are just trying to be a little more helpful when they explain that there is no need for AV. If anything, that's more a "you're welcome here, and don't worry about the AV." They may be wrong about whether AV is needed or not, but the intention isn't anything like "your kind isn't wanted."

Now replying to OP and calling them obstinate may be going too far, but I can at least see where they're coming from. It isn't a world where the customer is always right; sometimes things are done the way they are for a reason. Insisting that you absolutely must have something that millions of home and enterprise users live just fine without does sound a little obstinate.

It's even worse when you look at the argument: "I'm not taking that chance even if its only a .000001% chance on anything im putting my debit card and bank account on." This argument is effectively suggesting that with antivirus they are 100% safe and without AV they are not -- it's very black and white thinking, which does sound obstinate. The reality is unfortunately not so simple! Security is a product of so many things, and that's why you can use a computer for decades without getting a single virus, and you can also use a computer with AV and still get compromised. And by using Windows, which is vastly more targeted by malware than Linux is today, they are already taking a big chance. Insisting that AV is the make all, break all thing really does sound rather obstinate!

I wonder what kind of welcome I would get from a windows users' forum if I insisted that I absolutely need a specific feature from BSD or Linux before I can switch to Windows...

I know AV vendors have their own databases, but I don't know which ones to look for to find a comprehensive one.

If you want to spelunk, you could start here: https://en.wikipedia.org/wiki/Linux_malware#Threats Yes, but existing ransomware overwhelmingly focuses on servers, not desktops. So they are more likely to spread through a hole in some server software or a CMS or such. No, there is no such defense. Running as an unprivileged user helps less than people think, especially when it comes to protecting your personal files. I mean.. you don't chown your secret porn stash to root, right? What's owned by root is the OS, which is all files you can get from the package repositories any time you need. Plus some config files -- not a huge deal.

If a piece of malware gets to run with your user privileges, chances are they can lock anything you care about. All the files you don't get from the repositories just by reinstalling your OS... all your ssh keys, downloads, photos, documents, whatever you might care about.

And then, local privilege escalation vulnerabilities are a thing on Linux too. Malware for Linux exists in practice, so it is not merely a theoretical threat. SELinux and AppArmor just a few entries in the sea of security features, none of which are a silver bullet.

A fresh Linux user (2nd day after switching) lamenting about having to use terminal in Linux "for everything":

https://www.youtube.com/watch?v=I5uO4ZzZWr4

It's tough, I know, but overall he seems to enjoy it so far.

Then they are simply using it wrong (it’s not against them, it’s expected to make errors when we are new to something).

I do use the terminal a lot, because it is my preference. But the distributions I tested can be used fully without even opening a terminal even once. I suspect this is the case of most of the Linux distributions that target desktop use.

Too few buyers, apparently. Which makes me wonder what they expected, considering the Linux market share and the attitude of Linux users regarding security software, but they did keep it around for many years before ending it. The basic antivirus was a single piece, Win/Mac/Linux, then they removed Linux.
Expect incoming connections to be blocked as a rule, though I should be able to easily allow specific programs to open certain ports if/when I'd need something like that, and reverse that change immediately as soon as it's no longer needed.
So it's for control and monitoring of outgoing connections. Won't have any program connect without me specifically allowing it to, but want to know what it tries the moment it tries it, so no default-deny rule, it must be a prompt, so I'll see the moment it happens, see what tries to connect and where, and be able to decide whether to allow it or not and whether the answer should become a rule or it should only apply to that specific connection attempt and at the next one it should ask again.
I'm sure that Linux malware exists, but I for one don't even care about that when I'm looking for security software. On top of the sense of security it provides, I want a single piece of software to use for that kind of system monitoring and control, to allow me to make my system secure in the sense of ensuring that programs don't do what I don't want them to, regardless of whether someone else, somewhere, decides that it may be a malicious action or not.
I don't know! That's just the problem, I have the same questions, I've been having them all along, and actually asked them on the few occasions I worked up the courage to at least consider switching more seriously, getting that same kind of replies, which drove me back away running.
I just want to be able to make the switch pretty much since Win 10 launched, but there are those stumbling blocks, an application-level Linux firewall for outgoing connections that prompts, the behavioral monitoring and control that CFW has on Windows, some AV too that checks on-line stuff in real time and allows on demand scanning locally (local real time / on access scanning isn't exactly useful, I always scan every file, no matter how trusted the source, as soon as I download it, or before copying it if it comes from a removable drive), and also hardware support with the proper tools (audio chipset, mouse, UPS... they may be third party, but I must be sure they work properly and won't get abandoned in that case). And there is also the system backup while system's running issue, seeing as I will not reboot unless there's a problem, at which point I obviously won't want to make a backup anyway, so if you can't make a system image with the system running I'll go from a backup per month which has been my rule basically since the HDD failure from 2007 to never backing up again, which would be a real problem.
So, again, that's the question, what to use, without any discussions about the "need" for it. They're hard, non-negotiable, requirements.
The main reason, yeah. Otherwise, it may be more difficult, but it's hardly impossible to target a Linux system. There's no such thing as unbeatable security, and the weakest link is always the user anyway, as clarry also pointed out. But when it's immensely more lucrative to target Windows and it is also easier to do so, why bother with Linux (at least with the home use variants)? If/when Linux users will become a large enough target, it'll start being worthwhile to go through the trouble of defeating its security on a larger scale too.
It literally is saying precisely "your kind isn't wanted", because they say (and so do I) that it's a hard requirement. So those for whom it is a hard requirement aren't wanted.
And those enterprise users have options, it's the home users that don't. On which point, there are also probably a billion Windows home users who don't use 3rd party securty (saw a report these days saying that a slight majority just use the built-in stuff). And in case of the home Linux users that don't, you are talking about existing Linux users, a tiny percentage out of total PC users, and definitely not those who'd be interested in switching from Windows, so they're not of the mindset of existing Linux users.

I don't think you understand what "literally" means. You're just reading whatever you want into it, and you are putting words in someone else's mouth, words they never said. And you choose to read it in a very negative way, without giving your fellow human the benefit of the doubt, nor do you try to understand their viewpoint at all.

You want this and that, and you don't accept any alternatives, you don't accept any discussion, you don't want to negotiate. If someone is trying to offer you an alternative, you consider them hostile. Where does this kind of entitlement come from?

That kind of extremely disrespectful attitude just makes it harder for me to find fault with the Linux community. If anything, it's more negative air coming from the people making demands and then throwing accusations at the community.

Yes indeed, if that is your attitude, if that's how you treat people who try to offer a solution, then I hope your kind stays on the other side. I guess you can pay Microsoft to give you exactly the answers you want without any discussion. They give you exactly what you want, right? Why even look at Linux then?

Windows hasn't been what I wanted or needed at all after 7, any newer version is completely unusable as far as I'm concerned. At the same time, based on this, it seems quite obvious that the same is true for Linux, eh?

But do tell, what's the negotiated middle ground between having a proper Linux security suite and doing without, or between keeping the system always on and still being able to do full system backups and not being able to do that at all, or between being able to for example configure your gaming mouse or maybe use power control and monitoring tools for the MB or UPS and not being able to?
Edit: Now in case of the hardware support, if the answers would have been along the lines of there's no native Linux version but the Windows version works on Wine/Bottles/whatever and here's how, or there may be no native Linux version from the manufacturer but there's a current, maintained 3rd party Linux version with the same functions, absolutely, that's the sort of answers that someone asking those questions could look for. But this is somewhat past the topic here, since it was mainly about security software, and that definitely can't work unless native.
Edit 2: And in terms of security software, on one of these threads I got a reply from WinterSnowfall mentioning OpenSnitch, and now that I look I found where I had been told about it before, also here, by rojimboo (linked to the clarification post). And then there were the mentions, even here, about AppArmor or SELinux, and while at a glance it definitely looks to me that you really don't want a new user to use SELinux because they'll almost certainly mess things up, discussions about how to pair AppArmor with some sort of AV, even ClamAV if that's all there is, and configure and use them properly, to get close to what someone was used to having on Windows, would be the sort of discussions that would make sense, probably.

Are you surprised that people who may be considering switching are looking for something that offers them at least the positive things that they used to have, and preferably something even better, to be worth the trouble of learning a new system?

So, yeah, what I was saying about reasons people don't switch. When someone may consider giving it a go, they need assurances. And those who may just be open to it need even more, to be actually persuaded that they'll find what they want. That, or this, sort of answers are anything but.