Linux: 16 Security Packages Against Windows and Linux Malware Put to the Test
The Linux world is largely considered a safe fortress against malware, including various types of trojans. But many Linux machines run in a network with Windows PCs. Roughly half of all Web servers, for instance, run with a Linux system. These in turn serve billions of users on the Web. That’s why Web servers are a tempting target to be used as a bridgehead for Windows malware threats.
50 percent of all Web servers work with Linux
A successful attack normally does not infect the system or the kernel. Rather, it focuses on the applications running on the Linux PC or Web server. They can be more easily hijacked or harnessed as a means to replicate. Major hacker attacks have already been carried out on Web servers via SQL injection or cross-site scripting. But desktop PCs with Linux are also an attractive target. After all, running applications with security gaps are found there as well, e.g. the Firefox browser or tools such as the Adobe Reader.
Having infiltrated a system, malware seldom causes any damage under Linux, as it actually expects a Windows system. Infected files simply remain dormant, waiting for the opportunity to attack a Windows system. To do so, it is often sufficient to copy files from a Linux environment to Windows.
An increasing number of trojans especially targeted for Linux have also been cropping up lately. They’re not of particularly high quality yet, as the attackers are aware of the good protection mechanisms that Linux offers. Rather, they count on the duplicity of the user, who unwittingly abets the malware through operating errors. The most frequent case involves installing software or updates via third-party package sources. The user is often requested during installation to assign the software temporary root rights. If a user allows this to occur, important system components are swapped with manipulated versions. This enables an attacker to build a back door into the system and use it at will for a botnet.
Partly blatant detection weaknesses
In the lab at AV-TEST, 16 protection solutions for Linux systems were examined. Most solutions are intended for desktop PCs, the rest for servers. The Ubuntu distribution was used as a test environment, as it is considered the most widely used package. The desktop 12.04 LTS 64 bit version (kernel 3.13.0-54) was used. In the test lineup were security solutions for Linux from Avast, AVG, Bitdefender, ClamAV, Comodo, Dr. Web, eScan, ESET, F-Prot, F-Secure, G Data, Kaspersky Lab (with two versions), McAfee, Sophos and Symantec. The test was divided up into three parts: the detection of Windows malware, the detection of Linux malware and the test for false positives.
Detection of Windows malware
A total of eight out of 16 products detected between 99.7 and 99.9% of the 12,000 Windows attackers used in the test: Avast, F-Secure, Bitdefender, ESET, eScan, G Data, Kaspersky Lab (server version) and Sophos. Only the security package from Symantec achieved 100%.
Noticeably weaker are the detection rates of McAfee with 85.1% and Comodo with 83%. Alarmingly feeble are the results of Dr. Web with 67.8%, F-Prot with 22.1% and ClamAV with only 15.3%!
Detection of Linux malware
More and more perfidious malware threats are also being developed for Linux and put into circulation. The lab unleashed on the systems 900 actually already known attackers for Linux. The result, however, looks significantly different than the detection rates under Windows. Only Kaspersky Endpoint Version achieved 100-percent detection under Linux. Following close behind with 99.7 percent was ESET – AVG still reached 99 percent. The server versions of Kaspersky Lab and Avast do in fact recognize over 98 percent of the attackers. Symantec, offering the best detection under Windows, only finds 97.2 percent of the malware under Linux. That’s where the free fall begins.
Coming in at the bottom of the list in detection of Linux malware threats are ClamAV, McAfee, Comodo and F-Prot. Their rates ranged between 66.1 and 23 percent. This means that in the worst case, 77 out of 100 threats simply remain undetected despite protection software under Linux.
Effective friend or foe detection
As an additional test segment, the lab had over 210,000 clean Linux files scanned by all the products. Thus, all the packages were examined in terms of their false positive rate. The result was stellar: Only Comodo issued a false alarm on just one file – all the other products were error-free.
Linux is secure – isn’t it?
Most Linux users are convinced that they are using one of the most secure systems available. That statement is indeed true if you only look at the system and disregard everything else. Because it is occasional unsafe third-party applications or user errors that can turn Linux PCs or servers into virus cesspools. This is also confirmed by the latest study by Kaspersky for the first quarter of 2015: over 12,700 attacks were launched via botnets, using a Linux system as their basis, by contrast only 10,300 attacks came from botnets with a Windows system. What’s more, the life cycle of Linux-based botnets is much longer than those based on Windows. This is because it is much more difficult to ferret out and neutralize zombie networks such as these, as servers under Linux are seldom equipped with special protection solutions – unlike devices and servers under Windows.
In many Linux forums, the freeware products from Comodo, ClamAV and F-Prot are recommended for private users. That is not good advice, however. The test demonstrates that private users would be better advised to go with the freeware versions of Sophos for Linux or Bitdefender Antivirus Scanner for Unices. For server systems, there is even the freeware AVG Server Edition for Linux.
In this test, the best detection rates in terms of Linux and Windows were exhibited by the desktop solution from ESET, followed by Symantec and Kaspersky Lab endpoint versions for company workstations. Recommended for server protection are Kaspersky Anti-Virus for Linux File Server, AVG Server Edition for Linux and Avast File Server Security.
5th October 2015
by Markus Selinger