Is there a Linux virus

Linux and viruses - do you need a security tool?

Stephan Lamprecht

The threat situation with Linux is more than relaxed. Due to the architecture and its significantly lower distribution, virus developers have trouble with the system. But that doesn't mean that viruses don't play a role for Linux users.

EnlargeClam-AV is the most popular virus scanner on Linux.

Windows malware cannot harm or damage Linux. But of course they can also occur under Linux. Sooner or later, Windows viruses can also be found on a Linux NAS in a mixed network environment, which spreads to other clients when the infected file is retrieved. It is therefore advisable to regularly check Linux servers for viruses, provided that Windows computers are also accessing them.

Scan the Linux system regularly

The classic for this task is Clam-AV. The scanner is also offered for Linux. The program is available in the package sources of all known distributions and can be installed with just a few clicks. As with all virus scanners, the signature files must be updated regularly. This is done by a special program that you enter in a terminal using the command

call up manually. Usually, however, a daemon is installed and started that automatically looks for new signature files at regular intervals. Clam-AV is so flexible that there are a number of ways to automate and control scanning. Integration into your own applications is also possible. A look at the extensive documentation of the project, which also explains the numerous options when calling up functions, helps here. This is because the program can either notify the user about viruses it finds or move affected files.

EnlargeThe check with Clam-AV can be automated and is recommended if the system is used, for example, as a file server for Windows clients.

A quick and easy way to automate the process is to create a shell script, which simply consists of calling the program's function. You can then enter this script in the system's cron table at the desired interval. The call itself could then look like this:

In this case the software examines the folders "Directory1" and "Directory2" recursively (switch "-r"), including all subfolders. Every suspicious file is moved to the directory that you specify after "--move =". There is also a switch to automatically delete a file. However, you should be careful with this, as false positives cannot always be ruled out.

See also:The 11 best online scanners

Linux as a Windows helper

Linux is also the perfect support when it comes to examining Windows systems and taking the first steps in an emergency. At the latest when Clam-AV finds a virus on the Linux file server, it is mandatory to take a closer look at all Windows clients. The best thing to do here is to use a rescue system that many manufacturers of security solutions offer for download.

EnlargeOur Linux special system for Windows breakdowns can scan for viruses and rescue user files.

We also offer such a rescue system that you can use free of charge. The substructure of such systems and also this rescue system is a Linux that is run in live operation. With the independent emergency system, you can scan the Windows computer for viruses from an uncompromised source, save user files on other data carriers or carry out repairs if a Windows system no longer starts.

The procedure is similar for all data rescuers. You start the computer via DVD or USB medium. To do this, you usually have to change the order in the BIOS when starting the system or switch off Secure Boot. The live system will then ask you to select a WLAN if the computer is not connected to the Internet via Ethernet. The programs and virus signatures are usually updated afterwards.

In Linux, you can only access disks that are mounted in the Linux file system. This also applies to rescue systems. In order to specifically examine or edit the internal hard disk or, better still, a partition, you must first register the disk of the Windows computer. In the emergency system of the LinuxWelt / PC-Welt there is the bar symbol “Include hard disks”. With the additional button "Rescue tools" you can then reach several antivirus programs - in addition to Clam-AV, Avira or Sophos.

"Repair" is rarely successful

What if a virus is found? Most protection programs on the market promise to be able to repair a virus attack. The manufacturers define very differently what is meant by this repair. Often the corresponding file is only localized and automatically banished to a special directory ("quarantine"). If it is the executable file of a Windows program, it can no longer be started.

In our estimation, attempts to actually physically remove a virus from an infected binary file are rarely successful. Before embarking on dubious rescue operations, it is safer to completely rebuild the infected computer. This includes the complete formatting of the storage media, the installation of the operating system from a trustworthy source and the restoration of the saved user files from a backup.

You can also use the rescue system to copy important user files from the infected system to another data carrier and thus save them. The risk that Office, text and media files contain malware and that this is triggered by a software interpreter such as Excel, Adobe Reader or VLC cannot be completely ruled out, but it is very low.

Manual:All-round protection of the Linux server

Rootkits are dangerous for Linux

There is one threat scenario for Linux systems that you should take seriously. The root account is allowed to do everything under Linux and rootkits, the names of which have meanwhile become commonplace for similar malware threats to other systems, are collections of tools belonging to an attacker who successfully camouflage themselves from virus scanners. Such a rootkit gives the attacker the option of logging into the compromised system, monitoring network traffic or starting programs. Such kits, successfully installed on different systems, are often used for concerted attacks.

A program package that helps to detect such rootkits is "chkrootkit", which can be found in the package sources of all distributions. It is started in a terminal with root rights (sudo chkrootkit) in order to examine the system. To be sure that your own system and thus the chkrootkit program is not compromised, it is advisable to use chkrootkit from an independent live CD. The attacker may have camouflaged his rootkit against the software, so it can't hurt to get a second opinion with the rkhunter program, for example. This tool can also be obtained from the package sources in all distributions.