Ignore the idiot posting about this RAT.

If you want to secure your Linux system, use ClamAV, a local firewall like UFW or even opensnitch for a start. Also use your head when adding apps to your system. Stick to the official repos from your distro. Things like Arch’s AUR, random PPAs in Ubuntu and any random github project are going to be much riskier by their very nature so act accordingly.

If you need to risky stuff, do it a VM and network that guest into a private internal network that can only exit over a companion PFSense VM that is dual homed to the regular LAN and the private internal network. Take a snapshot of the risky guest before you use it in a session and when you are done, roll back to your clean snapshot.

Store your passwords in something like Keepass(strong master password!) and then use syncthing to push copies of the database to at least one other box locally or in the cloud if you really have to.

The person posting about a RAT is either unwell or trolling, dumping paragraphs of nonsense and screenshots that don’t actually show anything. Don’t let it get to you.

You can run ClamAV if you feel you need to, it’s fine. Install packages using your distro’s package manager. Don’t install random binaries or package repositories until you understand where the software is actually coming from. Job done.

First off, what is generally understood as “AV”, are whole bloated suites, that scan surveil your browser usage, downloads, background processes, ip traffic, etc. They are not only over-the-top, often annoying with false positives (“I still exist, notice the good product!”), always a privacy nightmare and more often than not a mix of security theater and snake oil. But also a gaping security hole, because they need elevated privileges to do their tasks and are at the same time hastily cobbled together software ruines that do dangerous tasks like decoding media.

While the professional “AV” is applying security practices and in some cases (like spam mails) running a heuristical AV scanner over it.
You can of course do that on Desktop too; i’ve set up a ClamAV cronjob for my dads peace of mind. But keep in mind, that the heuristics are always a step behind: don’t trust them blindly.

And btw, Firefox at least, has scans of downloads default enabled now (with a local list, no rivacy risk). Chromium too?

It’s not about AV. It’s about vulnerabilities.

AV just uses (often multiple) vulns to do something, and with closed-source systems you can’t fix it yourself, so you need an application to do it for you.

AV is a block-list approach… always needs updating, even for things you don’t have. Linux can operate with allow-lists, so only the apps you have can execute.

Plus firewalls (outbound as well as inbound), SSH, secure package repos, etc.

You don’t need AV, but, you can have it if you want it (maybe file-less memoey resident stuff)

But, yeah, that other post was just mayhem.

While I don’t know the specific post you are referring to, Malware exists for Linux. Here’s a great overview from last year. If someone wants to argue, “oh it’s from a security company trying to sell a product” then let me point you at the Malware Bazaar and specifically the malware tagged elf. Those are real samples of real malware in the Linux specific ELF executable binary format (warning: yes it’s real malware, don’t run anything from this site). On the upshot, most seem to be Linux variants of the Mirai botnet. Not something you want running, but not quite as bad as ransomware. But, dig a bit and there are other threats. Linux malware exists, it has for a long time and it’s getting more prevalent as more stuff (especially servers) run on Linux.

While Linux is far more secure than Windows by design, it’s not malware proof. It is harder for malware to move from user space into root (usually), but that’s often not needed for the activities malware gets up to today. Ransomware, crypto miners and info stealers will all happily execute in user-land. And for most people, this is where their important stuff lives. Linux’s days of living in “security through obscurity” are over. Attackers are looking at Linux now and starting to go after it.

All that said, is it worth having a bloated A/V engine doing full on-access scanning? That depends on how you view the risk. Many of the drive-by type attacks (e.g. ClickFix, fake tech-support scams) all heavily target Windows and would fail on a Linux system. The malware and backdoors that come bundled with pirated software are likely to fail on a Linux system, though I’ll admit to not having tested that sort of thing with Wine/Proton installed. For those use cases, I’d suggest not downloading pirated software. Or, if you absolutely are going to, run those file through ClamAV at minimum.

Personally, I don’t feel the need to run anything as heavy as on-access file scanning or anything to keep trawling memory for signatures on my home systems. Keeping software up to date and limiting what I download, install and run is enough to manage my risk. I do have ClamAV installed to let me do a quick, manual scan of anything I do download. But, I wouldn’t go so far as to buy A/V product. Most of the engines out there for Linux are crap anyway.

Professionally, I am one of the voices who pushed for A/V (really EDR) on the Linux systems in my work environment. My organization has a notable Linux footprint and we’ve seen attackers move to Linux based systems specifically because they are less likely to be well monitored. In a work environment, we have less control over how the systems get (ab)used and have a higher need for telemetry and investigation.

Antivirus is not the begin all and end all. I do not specifiically have AV installed and have had 0 issuses over the past 26 years of Linux use.

On the other hand I do only install software from trusted sources. I keep my system updated. I do scan things with VirusTotal if there is a question. I have wine installed but not the exe handler. I have a firewall. I do sometimes harden my systems and use security scanners to help with that. Probably biggest attack vectors are email attachments and the web browser. I am careful about attachments. In the brower I use uBlock Origin at a minimum. I segregate sensitive things too so even compromising my general user account would not be fatal. I also have good offline and offsite backups.

As for AV like stuff. I do sometimes install ClamAV or a rootkit scanner and sometimes do a manual scan but have never found anything. Same with my IDS. My WS for example has Tripwire but not all my systems and have never found anything.

My point really, I view security about process and defense in depth then AV specifically. Keep in mind that AV introduces attack vectors too.

If that RAT post was real, it was done by pros and it’s by a miracle alone a definition for their trojan was in ClamAV, which never has bleeding edge definitions. If you’re actually concerned about that kind of thing, running wine in its own limited permissions user account (or not at all) is going to be better protection than relying on AV definitions.

Quoted from the Arch wiki:

The current situation of anti-malware products on Linux is inadequate due to several factors:

    - Limited Variety: Compared to Windows, there are fewer users/clients resulting in limited interest for companies to develop products for Linux.

    - Complacency: Many believe Linux is inherently secure, leading to a lack of awareness and focus on malware protection. This creates a gap in proactive defense mechanisms.

    - Lack of Features: Existing tools often lack advanced features which are common in Windows anti-malware products, making them less effective on Linux.

This is especially bad because the amount of malware on Linux is increasing just as the possible attack surface due to the increasing number of Linux-based servers and IoT devices.
Currently on Linux one of the few existing and actively developed anti-malware solutions is ClamAV.

There is no inherent mechanism that makes your system secure to viruses just because it’s Linux. This is mostly said because, Linux being a small percentage of desktop users, it’s not yet common for hackers to target Linux systems because it’s not worth the hassle when you can just target a much larger audience on Windows that is on average much less tech literate too.

But as Linux popularity grows, viruses will start popping up on Linux as well, so it’s never a bad idea to use ClamAV. You are already more protected when you use package repositories instead of downloading executables from websites like you do on Windows, and Linux has better file system permissions, but you still need to be careful what you’re downloading and running.

Antivirus wont protect you if you run everything you find in the interhet. You need to be smart enough to avoid cracking. But if you are smart enough, you don’t need an antivirus.

I have always heard not to use antivirus on Linux

I’ve never heard anything like that, and if it’s true it’s really bad advice, to be honest. It’s not that you shouldn’t use an antivirus on Linux, but an extra of security is not bad because shit happens and with its popularity increasing Linux can face security challenges in the future.

Still if you know what you’re doing you can do just fine without an antivirus.

Yes, you should always have an AV because security is about layers.