Linux: 16 Security Packages Against Windows and Linux Malware Put to the Test
The Linux world is largely considered a safe fortress against malware, including various types of trojans. But many Linux machines run in a network with Windows PCs. Roughly half of all Web servers, for instance, run with a Linux system. These in turn serve billions of users on the Web. That's why Web servers are a tempting target to be used as a bridgehead for Windows malware threats.
50 percent of all Web servers work with Linux
A successful attack normally does not infect the system or the kernel. Rather, it focuses on the applications running on the Linux PC or Web server. They can be more easily hijacked or harnessed as a means to replicate. Major hacker attacks have already been carried out on Web servers via SQL injection or cross-site scripting. But desktop PCs with Linux are also an attractive target. After all, running applications with security gaps are found there as well, e.g. the Firefox browser or tools such as the Adobe Reader.
Having infiltrated a system, malware seldom causes any damage under Linux, as it actually expects a Windows system. Infected files simply remain dormant, waiting for the opportunity to attack a Windows system. To do so, it is often sufficient to copy files from a Linux environment to Windows.
An increasing number of trojans especially targeted for Linux have also been cropping up lately. They're not of particularly high quality yet, as the attackers are aware of the good protection mechanisms that Linux offers. Rather, they count on the duplicity of the user, who unwittingly abets the malware through operating errors. The most frequent case involves installing software or updates via third-party package sources. The user is often requested during installation to assign the software temporary root rights. If a user allows this to occur, important system components are swapped with manipulated versions. This enables an attacker to build a back door into the system and use it at will for a botnet.
Partly blatant detection weaknesses
In the lab at AV-TEST, 16 protection solutions for Linux systems were examined. Most solutions are intended for desktop PCs, the rest for servers. The Ubuntu distribution was used as a test environment, as it is considered the most widely used package. The desktop 12.04 LTS 64 bit version (kernel 3.13.0-54) was used. In the test lineup were security solutions for Linux from Avast, AVG, Bitdefender, ClamAV, Comodo, Dr. Web, eScan, ESET, F-Prot, F-Secure, G Data, Kaspersky Lab (with two versions), McAfee, Sophos and Symantec. The test was divided up into three parts: the detection of Windows malware, the detection of Linux malware and the test for false positives.
Detection of Windows malware
A total of eight out of 16 products detected between 99.7 and 99.9% of the 12,000 Windows attackers used in the test: Avast, F-Secure, Bitdefender, ESET, eScan, G Data, Kaspersky Lab (server version) and Sophos. Only the security package from Symantec achieved 100%.
Noticeably weaker are the detection rates of McAfee with 85.1% and Comodo with 83%. Alarmingly feeble are the results of Dr. Web with 67.8%, F-Prot with 22.1% and ClamAV with only 15.3%!
Detection of Linux malware
More and more perfidious malware threats are also being developed for Linux and put into circulation. The lab unleashed on the systems 900 actually already known attackers for Linux. The result, however, looks significantly different than the detection rates under Windows. Only Kaspersky Endpoint Version achieved 100-percent detection under Linux. Following close behind with 99.7 percent was ESET – AVG still reached 99 percent. The server versions of Kaspersky Lab and Avast do in fact recognize over 98 percent of the attackers. Symantec, offering the best detection under Windows, only finds 97.2 percent of the malware under Linux. That's where the free fall begins.
Coming in at the bottom of the list in detection of Linux malware threats are ClamAV, McAfee, Comodo and F-Prot. Their rates ranged between 66.1 and 23 percent. This means that in the worst case, 77 out of 100 threats simply remain undetected despite protection software under Linux.
Effective friend or foe detection
As an additional test segment, the lab had over 210,000 clean Linux files scanned by all the products. Thus, all the packages were examined in terms of their false positive rate. The result was stellar: Only Comodo issued a false alarm on just one file – all the other products were error-free.
Linux is secure – isn't it?
Most Linux users are convinced that they are using one of the most secure systems available. That statement is indeed true if you only look at the system and disregard everything else. Because it is occasional unsafe third-party applications or user errors that can turn Linux PCs or servers into virus cesspools. This is also confirmed by the latest study by Kaspersky for the first quarter of 2015: over 12,700 attacks were launched via botnets, using a Linux system as their basis, by contrast only 10,300 attacks came from botnets with a Windows system. What's more, the life cycle of Linux-based botnets is much longer than those based on Windows. This is because it is much more difficult to ferret out and neutralize zombie networks such as these, as servers under Linux are seldom equipped with special protection solutions – unlike devices and servers under Windows.
In many Linux forums, the freeware products from Comodo, ClamAV and F-Prot are recommended for private users. That is not good advice, however. The test demonstrates that private users would be better advised to go with the freeware versions of Sophos for Linux or Bitdefender Antivirus Scanner for Unices. For server systems, there is even the freeware AVG Server Edition for Linux.
In this test, the best detection rates in terms of Linux and Windows were exhibited by the desktop solution from ESET, followed by Symantec and Kaspersky Lab endpoint versions for company workstations. Recommended for server protection are Kaspersky Anti-Virus for Linux File Server, AVG Server Edition for Linux and Avast File Server Security.
Guest commentary: Important line of defense for heterogeneous networks
The use of an antivirus product for Linux makes sense above all in heterogeneous networks where the products, as filters, can prevent malware from sneaking through to the Windows side. This requires a proper detection rate, however – you can skip the effort if every tenth malware threat gets through unscathed. That is why the latest results form AV-TEST provide quite a good indication of which antivirus solutions for Linux can be used to secure one's server parks.
The fact that the freeware ClamAV fails on the criteria of detection rate is hardly any surprise to insiders. The inevitable requirement for the development of efficient anti-malware strategies is a massive database operated in real time with millions of malware specimens and a farm of test computers. That is something a community project would find hard to mobilize. Yet the fact that commercial providers do not always come out in front is manifest in the even poorer performance by the product from F-Prot, as well as in a solution from Comodo that hardly performs any better – incidentally, both freeware products.
And even a renowned name and paid software, however, is no longer an automatic guarantee for utmost quality, as demonstrated by the McAfee business product finishing below average. By contrast, AVG Server Edition for Linux 2013 and ESET NOD32 AV for Linux Desktop stand out with impeccable detection rates. One product is free of charge to end users, the other is in the lower price segment, and both are designed for being used in smaller networks. All in all, it is striking that products running reliably under Windows also deliver solid results under Linux – it is a natural assumption, but it is interesting to see it confirmed in black and white.
In general, everyone should understand that, after all, antivirus products form only the second line of defense in combating malware: The most important is resting on the shoulders of the user. Anyone who stays abreast of malware, regularly keeps their system up to date, does not open up any non-essential ports, only installs software from reliable sources, prohibits the Web browser from automatically executing active content and does not click on everything that has not disappeared on a count of three out of the mail client or from the desktop, actually has nothing to worry about in terms of malware under Linux.
Thus, those running a hybrid network have no other choice but to sift through in advance under Linux any data flowing to the Windows machines. When opting for a suitable tool, the current side-by-side test from AV-TEST offers an invaluable decision-making asset.