I have always heard not to use antivirus on Linux but I saw the post about a guy getting a RAT exploit backdoored through wine and it had me thinking should I be using ClamAV or some other antivirus for Linux?
The person posting about a RAT is either unwell or trolling, dumping paragraphs of nonsense and screenshots that don’t actually show anything. Don’t let it get to you.
You can run ClamAV if you feel you need to, it’s fine. Install packages using your distro’s package manager. Don’t install random binaries or package repositories until you understand where the software is actually coming from. Job done.
The person posting about a RAT is either unwell or trolling, dumping paragraphs of nonsense and screenshots that don’t actually show anything.
The second that they claimed to be able to detect data exfiltration via wireguard is what lost me (even script kiddies use encryption, advance attacks would exfiltrate data in DNS requests or some other exotic method). That and they were not describing a malware infection but an active attack by a person/people who were able to determine what steps that OP was taking and react.
Also, if you think your system is compromised the first thing you do is remove power from the infected machines, you don’t use them to try to determine what is wrong (when the attacker could have just corrupted your tools, or replaced the kernel with a kernel who lies to sys calls., etc)
Felt like reading a bad Mr. Robot fanfic episode.
“We’re in”
First off, what is generally understood as “AV”, are whole bloated suites, that scan surveil your browser usage, downloads, background processes, ip traffic, etc. They are not only over-the-top, often annoying with false positives (“I still exist, notice the good product!”), always a privacy nightmare and more often than not a mix of security theater and snake oil. But also a gaping security hole, because they need elevated privileges to do their tasks and are at the same time hastily cobbled together software ruines that do dangerous tasks like decoding media.
While the professional “AV” is applying security practices and in some cases (like spam mails) running a heuristical AV scanner over it.
You can of course do that on Desktop too; i’ve set up a ClamAV cronjob for my dads peace of mind. But keep in mind, that the heuristics are always a step behind: don’t trust them blindly.And btw, Firefox at least, has scans of downloads default enabled now (with a local list, no rivacy risk). Chromium too?
I think it all depends on your PC usage and if you have money to pay for an AV.
- If you only browse the Internet, I suggest you get an AV browser extension/add-on + an adblocker.
- Disable unnecessary permissions (specially notifications!).
- Change your DNS to another that protects from malware (Cloudflare and Adguard have a special DNS for this).
- Always delete cookies on exit.
- If you frequently download files, you can scan them with VirusTotal and ClamAV.
- When you want to execute a program you don’t fully trust, a VM or Firejail will let you run it without harming your real machine (good idea if you fear getting a RAT through WINE).
I learned all of this using Windows, and you can adapt it to any OS. All of my recommendations are meant exclusively for security, keep in mind that some of them are not the best for privacy.
But the only way to get full and annoying real time protection with all the typical antivirus tools on Linux, is paying an AV subscription. Most AV suites for Linux are developed for servers, I’m not sure if an active plan for home users exists. Just remember, it all depends on your PC usage.
