I am bit concerned about the security of my linux machine. ClamAV shows it detects malware but only during manual scan. Maybe it isn't designed to run in background. I don't know. I just want good protection for my system.
Atleast Avast in Windows immediately blocks any further interaction if it even gets a slight hint of malicious activity. I haven't seen any Windows malware popup during manual scan in a long time.
Recently ClamAV showed lot of threats and many times before
/home/arjun/.cache/mozilla/firefox/velcy2qd.default-1475046670923/cache2/entries/5B6A5C07930975FDE8750B7CA9824A79551A31A2 PUA.Win.Tool.Packed-177
/home/arjun/.config/min/Cache/f_000036 PUA.Win.Trojan.Xored-1
/home/arjun/.config/min/Cache/f_000020 PUA.Win.Trojan.Xored-1
/home/arjun/.config/Vectr/Cache/f_000006 PUA.Html.Trojan.Agent-37075
/home/arjun/.npm/accessibility-developer-tools/2.11.0/package.tgz PUA.Html.Trojan.Agent-37075
/home/arjun/.npm/npm/2.15.11/package.tgz PUA.Win.Trojan.Xored-1
/home/arjun/.npm/imurmurhash/0.1.4/package.tgz PUA.Win.Trojan.Xored-1
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
I don't know if these are false positives or really malwares. If we go by this report – http://www.networkworld.com/article/2989137/linux/av-test-lab-tests-16-linux-antivirus-products-against-windows-and-linux-malware.html – it shows ClamAV having around 60% efficiency.
In fact the report recommends going with Kaspersky or even Sophos would be much better.
And there are many other reports in the internet advising the same.
- Have you used other software showing better protection than ClamAV?
- Are there any "enhancements" possible to increase the threat detection in ClamAV, since it is lightweight? (I have seen some websites suggesting to add their threat signatures to the ClamAV list. Is it safe?)
- Overall, this is important, some configurations which can be performed for hardened protection, without slowing down the machine.
Best Answer
Yes, it is. The wiki shows methods running it as a daemon and as a scanner:
Linux is fundamentally different from Windows so we did not inherit the problems Windows (still) faces. Our system has been set up as a multi-user system: more than 1 user at the same time is expected to use it. This means we have a security model built into our system since some users are not expected to see all the content or be able to do what they want on our systems. That also hinders malware to abuse your system.
Yes, it does not make Linux invulnerable. But as long as it is easier to infect millions of Windows system than to infect 1 Linux machine we win. Only if your machine is targeted specifically (when you run a game server for instance) you need to take precautions. But those are: create regular backups, use a good password, use a router, keeping an eye on the CVE tracker, keeping your system up to date and not installing software you do not need. All things you should do any way.
Yes (1st part: as a system admin for 30+ systems I have examined several virus scanners and root kit detectors and also made an assessment about threat risks when not using one) and no (2nd part). But the no is not because ClamAV is so good: it is as bad as any other virus scanner. Virus scanners all have such a low success rate that they are useless. When near 100% of all claims it claims to be a virus are false, I can't use it.
See for instance the "signatures.pdf" in the "doc" dir of ClamAV on how to upload extra virus signatures.
But this is only useful when you actually find a virus as the 1st person. The virus definition file gets updates pretty regularly so I doubt there is anything to improve.
This is a question on its own and has also no relation to virus scanners.
Important:
The protection of your system does not come from anti-virus software; it comes from how you treat your system. If you ever do find a virus you are too late: removing a virus is not enough as your system has been compromized and needs to be re-installed from a proven clean backup. You always have to assume they got your admin password.