Linux antivirus and anti malware: 8 top tools

Malware and viruses on a Linux system? You weren’t operating under the illusion that using Linux meant you don’t have to worry about that, were you? Fake news!

2 linux malware scarier

Keeping Linux systems safe

By most estimates, more than 50 percent of web servers on the internet are running some version of Linux or a related *nix. That should be enough to drive home how critical it is to the ongoing success of the Information Age that you analyze, identify, and eradicate malware on or passing through your Linux systems.

Whatever flavor and size of Linux installation you are running — whether a single desktop or a server farm — it’s critical to pay attention to safety and security. In fact, you have to check not only for Linux malware. but also for passive malware that can infect Windows or Mac systems — or Android devices — before you become part of the problem. 

We’ve pulled together this roundup of some of the very best malware protection and antivirus programs to help keep your Linux box firmly in the safe zone.

3 clamav

1. ClamAV

One of the most popular malware protection tools for Linux servers is the open source ClamAV. It is also available for Windows and Mac systems. 

ClamAV is powerful. Don’t confuse it with the associated program that does the smaller task of scanning email attachments. ClamAV does a lot more than that, and it’s actively under development, making it a strong competitor to commercial AV solutions.

Still, the challenge with any malware protection or antivirus software is keeping up to date: New threats, viruses, and sly exploits come out every day. It’s hard not to worry about the time elapsed between an exploit being identified and its signature appearing in the active version of ClamAV.

Much was made of a story a while back about ClamAV incorrectly flagging updates to Total Commander as a virus, but don’t let that dissuade you. All antivirus software has false hits. The bigger question is whether it misses active viruses. Few experts rate ClamAV as the best available solution, but it’s not bad for a basic Linux server. Its greatest benefit is that it’s open source. If your budget is nil, this is much better than living in blissful - but dangerous - ignorance.

4 sophos

2. Sophos Antivirus for Linux

Sophos is a commercial anti-virus company that offers a free scanner utility. Sophos Antivirus for Linux uses the same scan engine as its popular Windows cousin to identify, isolate, and remove viruses, Trojans, and a variety of other malware.

More importantly, the program also detects, blocks, and removes Windows, Mac, and Android malware, which makes it an excellent choice for file servers. It even works with Web servers, NFS servers, or old FTP file servers. If you have a Linux system serving up files, it’s critical you scan them to ensure you haven’t become a distribution point for malware.

Sophos Antivirus for Linux is pre-compiled and ready to go for a wide variety of Linux distros, whether you’re talking about 32-bit or 64-bit configurations. Supported platforms include Amazon Linux, CentOS, Debian, Mint, Oracle, Red Hat, SUSE, Turbolinux, and Ubuntu.

The more powerful paid version of the Sophos system adds anti-ransomware -- a timely consideration if you’re running a server that’s even slightly mission critical or has customer, development, or product data -- application whitelisting and HIPS for centralized management of racks or rooms full of servers.

5 ckrootkit rkhunter

3. ckrootkit / rkhunter

Sony BMG music got in trouble years ago for surreptitiously installing a rootkit on the computers of unsuspecting music fans who innocently purchased and popped in the latest from Celine Dion, Neil Diamond, or The Dead 60s and let a rootkit silently move into their systems. 

Rootkits are a set of programs, scripts, and utilities that gain access to your root account and then maintain that access. A classic rootkit infection gets access through a Trojan horse version of the “sudo” command. It lies waiting, watching, for an admin to type the root password. Then it springs to life, grabs the access it needs, and wreaks havoc. 

Two open source programs are designed specifically to scan and check for the presence of rootkits, whether they’ve already been triggered or whether they’re poised and waiting for that fateful command or sequence of instructions: ckrootkit and rkhunter. The primary difference between the two is the operating system they run on: Debian based Linux users want chkrootkit, which is easy to install by an (administrative) command line invocation of “sudo apt install chkrootkit”. Running a variant of CentOS? The command line installation for that is “sudo yum install rkhunter.”

6 lynis

4. Lynis

Any decent Linux security software will check for rootkit or compromised Linux programs. You can do it manually too: Compare the checksum of programs you have installed with their equivalent on a clean, pristine install system. They should always be bit-for-bit identical. Keeping a system clean is about more than viruses and rootkits. Lynis offers a full set of security auditing tools. 

Better yet, Lynis is open source and supports just about every Linux and Unix-based system, including FreeBSD, Linux, NetBSD, and Solaris. It even works with MacOS. If you have existing malware scanners like ClamAV or rkhunter installed, Lynis can automatically tie them into its scans and monitoring, too, checking for configuration errors at the same time.

The entire system is written as a set of shell scripts, not as a block of C++ or something else impenetrable. You can run Lynis directly or install it from a USB thumb drive, CD, or DVD, which also makes it quite portable and a smart addition to any field security specialist toolkit. Indeed, it offers specific guidelines if you need to work on system hardening or compliance testing too, even if your system is isolated from the public internet.

7 ispprotect

5. ISPProtect

If you’re an internet service provider (ISP), you have a unique set of challenges when it comes to keeping your systems free of malware and policing the files and software that users upload and install. That’s what ISPProtect is for. It’s quite useful whether you’ve got dozens of users or a small Linux box in the server rack delivering up Web pages for an intranet. 

ISPProtect scans and identifies malware in WordPress, Joomla, Drupal, Magentocommerce, and can also ensure that all elements of these popular third-party software systems are up-to-date. Outdated installations are a common means of penetrating an otherwise secure system.

The program is built around a signature-based scan engine for viruses along with a heuristic scan engine that detects malware in many environments. It can handle lots of scenarios, including spam sent from your server from an unknown software package, an atypically high server load, or even customers complaining about their individual servers. This will make it easy to quickly identify and isolate problems.

One more thing: ISPProtect is written by the same open source development team that created the popular ISPConfig Webhosting Control Panel. An additional part of the package -- ISPProtect BanDaemon -- also protects your system against brute force or denial of service (DoS) attacks.

8 kaspersky

6. Kaspersky Anti-Virus for Linux/Endpoint Security for Linux

Kaspersky has long been known as a powerhouse in the antivirus world. In particular, its anti-malware software is popular in the Windows world, which gives the company deep knowledge of malware signatures and profiles, including those on Linux servers.

The company splits its product depending on what kind of systems you have: Kaspersky Anti-Virus for Linux Workstations is designed for an interactive system while Kaspersky Anti-Virus for Linux File Servers is designed for file servers. The company also has a product just for email servers.

With many of these solutions, the question is -- always -- how responsive will the company be to new attacks and exploits. Kaspersky releases database updates every hour, as needed.

9 avast

7. Avast Security Suite for Linux

Long respected as one of the mainstays of the antivirus and anti-malware community, AVG has an antivirus solution for Linux servers that’s built on the same malware database as its popular Windows apps. No surprise, it’s focused on file servers, but it can also identify malware that’s lurking on a dual-boot system if you happen to like Windows for, say, gaming. 

The software is split into three categories of functionality - core security, file server security, and network security - that add up to the Avast Security Suite for Linux. The system works with Red Hat, Ubuntu, CentOS, and Debian, and is intended primarily to be run from the command line by admins. Got an old x86 64-bit system? Avast can keep your old hardware updated and safe at the same time. 

This is one of the best solutions on the market. It’s an actively supported suite with real-time updates for immediate response to the worst of malware attacks, along with smart traffic and usage monitoring tools. Don’t want to pay for a solution to keep your home file server safe? Avast has a free home edition that’s worth checking out.

ESET File Security for Linux / FreeBSD

8. ESET File Security for Linux / FreeBSD

Want a solution from a vendor that covers all the operating systems, offering solutions for Mac, Windows, and Linux? ESET has you covered with its wide range of antivirus and anti-malware tools that include a suite of file security software tools designed to simultaneously keep your Linux and FreeBSD servers clean, safe, and running quickly. 

As with many of the other solutions, ESET File Security for Linux / FreeBSD also offers remote management. That’s critical if you have anything more than a couple of servers in your facility, especially if you have servers located in offices around the U.S. or globally.

Just as important, you want compliance monitoring to ensure that all the servers throughout the organization comply with company security standards because it’s easier to fix it before it’s hacked.

ESET File Security works with Suse, Fedora, Mandriva, Red Hat, Ubuntu, Debian, and FreeBSD, offering extensive solution for even the most heterogeneous Linux shop.