10

Let's say for example I unknowingly install a piece of malware, and install it. How do I know I've done something so stupid? Windows has anti-virus/malware software to check, while GNU/Linux seems to be lacking, with most of these programs on GNU/Linux dedicated to finding Windows viruses, like ClamAV. Sophos seems like a good idea, but it doesn't elegantly install with your package manager, and sometimes pops up a window stating about errors the automatic scanner finds. Besides that, the automatic scanner seems to be pretty particular with kernels, like you can't use a HWE kernel when it comes out. :/

Also, if I do get malware, can I still install a scanner, or will it not be effective, since the malware could interfere with a new installation? Could I even scan at all on such an infected system? Do I have to use a live USB instead?

RDM_School_account
  • 101

2 Answers2

5

If you are looking for a simple sanity check, you could try this answer: Can dpkg verify files from an installed package. This suggests using 

sudo dpkg --verify

to check for mismatches on the md5sums. On my system, this shows up things like ??5?????? /usr/bin/easy_install which may have been modified legitimately by something other than dpkg or apt-get.

Community
  • 1
James Brusey
  • 266
  • 2
  • 6
  • 1
    I've used debsums, which is similar. Ehh, don't worry, I found out I could use Sophos. One last thing though: If my computer were infected, and I afterwards installed Sophos on it, would Sophos work? Or would it not. It does seem to perfectly work, but my OCD tells me that what if the malware hijacked the program to make it lie. I guess though that tactic would probably apply if Sophos was already on there anyways lol. Let alone most (or all?) malware is just simply not that advanced. – RDM_School_account Dec 01 '16 at 11:40
1

The arguments for and against AV protection have been debated ad nauseam. Without expressing my view for or against, I'll say that I run Sophos AV on Ubuntu 16.04 and it has identified files that were otherwise compromised and / or contained malware, primarily in the area of file storage from the network. This solution has both on-demand and on-access features.

Sophos makes this available free for home / non-commercial use:
https://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-linux.aspx

So to the question: "Is there an Ubuntu sanity check for malware?"
Yes, and my solution of choice is SophosAV

There are others.

Mark
  • 1,502
  • Could I install it on a live USB session, so I could scan my OS from the outside? – RDM_School_account Nov 30 '16 at 21:48
  • For live CD boot and scan I've used Avira. – Mark Nov 30 '16 at 21:49
  • https://www.avira.com/en/download/product/avira-rescue-system – Mark Nov 30 '16 at 21:49
  • Avira doesn't seem to scan Linux stuff, it only has versions for phones, Macs, and Windows PCs. Besides that, I only have one Live USB lying around, and I really don't want to make one with a potentially infected (though extremely likely not) computer. – RDM_School_account Nov 30 '16 at 21:52
  • Avira will scan various file formats including what is likely your installation of EXT4. It is (in effect) OS agnostic. – Mark Nov 30 '16 at 21:54
  • But doesn't it need to recognize GNU/Linux viruses at all, sure it'll find most other crap, but I don't think that i'll take notice of GNU/Linux malware. – RDM_School_account Nov 30 '16 at 21:55
  • (Sadly I can't edit a comment) What I liked was the Avira rescue ISO which you would boot to directly. While it is likely immaterial, you should create the bootable USB on a machine you don't believe to be at issue. That rescue system image is what I was referring to by OS agnostic. – Mark Nov 30 '16 at 21:56
  • Malware (of which virii is a subset) are detected by inspecting files for code that is known, or via heuristics that detect anomalies during execution. This rescue boot image scans all files and looks for these signatures. The operating system is irrelevant to this process, a file is a file. If you are asking about the level of detection ability - that's an entirely different discussion and it varies across vendors and products. – Mark Nov 30 '16 at 21:59