Home Tech Geek Server Solution to: What antivirus software should I use on a Linux (Ubuntu)...

Get social!

Currently I have 3 Ubuntu Servers (2, 10.04 LTS and 1, 12.04 LTS). Among other things, these servers do virtual hosting for about 100 clients. So viruses are always a concern.

Linux Doesn't Get Viruses

"Now wait a minute", I hear you saying. "Linux doesn't get viruses." While technically that may or may not be true, I can tell you from experience that servers doing virtual hosting will get hacked, infected, or whatever you want to call it, sooner or later. Why? Because bad (OK, maybe not "bad" but at least misguided) people use vulnerabilities in server and web software (WordPress, for instance) to do things like install malware on visitor's PCs and steal passwords. I see attempts at such activities every day in my server logs.

With prevention and detection in mind, I use a full set of security tools including:

There's more, but those are the crux of the security tools I use. How to set up and use these tools is beyond the scope of this post (and off-subject, really). If you are interested in any of the items listed above, just click on the link to visit the associated website.

Sooner or Later, Somebody Always Gets In

I confess, I've had my servers hacked in the past. Even with tools like bad behavior and fail2ban, sooner or later somebody always will find away to get into your (my) server. While programs like Rootkit Hunter will find many malicious files on your server, a good antivirus software will detect (and remove if you want it to) items that the free software will often miss.

Antivirus software for Linux does much more than search for viruses. It searches for root kits, hacked web pages, and a bunch more stuff that I've never taken the time to learn about. In short, it searches for the kind of malicious activity mentioned above. So which one to use?

Solution

I've tried ClamAV, AVG Linux Server Edition, and F-Prot. I've tried other free and pay-for antivirus softwares as well, but I can't remember what they were at the moment. I find the best to be F-Prot, in terms of pricing and functionality (and smaller footprint). The product page is here:

http://www.f-prot.com/products/corporate_users/unix/

After purchasing, downloading, and installing, I added this line to my root crontab:

Note the pipes to grep. Without them I get an email each day with too much information in it to parse with human eyes. If you know a better way to run the cronjob, please share via a comment.

The email I receive each morning will show me any potential viruses on the system, which I investigate manually.

I also start fpscand from /etc/init.d/fpscand (I can't remember if I added the init script manually or if it came with the install). This guy stays resident and scans opened files for viruses real-time. I've also linked the daemon to my amavis anti-spam software by uncommenting the appropriate lines in the /etc/amavis/conf.d/15-av_scanners config file:

There's an fpudate file in F-Prot's root install folder. I believe it is run automatically, either by fpscand or fpscan. My virus signatures stay up-to-date and I don't see any cronjobs explicitly calling the update program, at any rate.

Update: I missed it! The entry was in the /etc/crontab file (put there by the installer, I imagine):

Finally, you might ask what version of F-Prot I purchased. I honestly can't remember. Sorry! I think I may have purchased the Linux workstation version, which works fine for me. Your mileage may vary.

Leave a Reply

Bad Behavior has blocked 45 access attempts in the last 7 days.