AV-Test – Which is the best Antivirus for Linux systems?

Pierluigi Paganini October 05, 2015

The Independent AV-Test Institute has analyzed 16 Linux security solutions against Windows and Linux threats under Ubuntu. The results are disconcerting.

The result of the tests on Linux security solutions demonstrates that many Linux machines are vulnerable to cyber attacks, let’s consider to billions of internet users that daily access Web servers.

In many cases, these machines work in networking with Windows systems and according to the tests they aren’t not immune to the infection despite the security solutions.

“A successful attack normally does not infect the system or the kernel. Rather, it focuses on the applications running on the Linux PC or Web server. They can be more easily hijacked or harnessed as a means to replicate. Major hacker attacks have already been carried out on Web servers via SQL injection or cross-site scripting.” states the analysis published by AV-Test.” But desktop PCs with Linux are also an attractive target. After all, running applications with security gaps are found there as well, e.g. the Firefox browser or tools such as the Adobe Reader.”

There are various opportunities for hackers that target hybrid networks, a malware can compromise a Linux machine or use it as storage of infected files waiting for the opportunity to spread it on connected Windows systems.

“To do so, it is often sufficient to copy files from a Linux environment to Windows.” 

Despite the trojans specifically designed to compromise Linux systems doesn’t appear so sophisticated, the most frequent attack scenario involves victims installing software or updates via third-party package sources, a procedure that is used by assigning root rights.

This attacker can exploit the root privileges in order to establish a backdoor into the system.

The AV-TEST evaluates 16 protection solutions for Linux systems, most solutions are intended for desktop PCs, the rest for servers. The experts focused the analysis on the Ubuntu distribution (desktop 12.04 LTS 64 bit version) that is the most widely used package.

AV-Test tested the following security solutions:

  • Avast
  • AVG
  • Bitdefender
  • ClamAV
  • Comodo
  • Dr. Web
  • eScan
  • ESET
  • F-Prot
  • F-Secure
  • G Data
  • Kaspersky Lab (with two versions)
  • McAfee
  • Sophos
  • Symantec

The experts split test session into three distinct parts, the detection of Windows malware, the detection of Linux malware and the test for false positives.

Detection of Windows malware

A total of eight out of 16 products detected between 99.7 and 99.9% of the 12,000 Windows threat used in the test: Avast, F-Secure, Bitdefender, ESET, eScan, G Data, Kaspersky Lab (server version) and Sophos.

Only the security package from Symantec achieved 100%.

McAfee obtained a rate of 85.1% and Comodo 83%. Bitter results for Dr. Web with 67.8%, disconcerting the data related the detection of F-Prot with 22.1% and ClamAV with only 15.3%!

Detection of Linux malware

The experts at AV-Test tested the systems against 900 actually already known attackers for Linux.

Only Kaspersky Endpoint Version achieved 100-percent detection under Linux.

Good results for ESET with 99.7 percent and AVG still reached 99 percent. The server versions of Kaspersky Lab and Avast do in fact recognize over 98 percent of the attackers. Symantec, that resulted the best in detecting the Windows threat, finds 97.2 percent of the malware under Linux.

Also in this case other results were disconcerting!

“Coming in at the bottom of the list in detection of Linux malware threats are ClamAV, McAfee, Comodo and F-Prot. Their rates ranged between 66.1 and 23 percent. This means that in the worst case, 77 out of 100 threats simply remain undetected despite protection software under Linux.” states the analysis. 

False positives

The AV-Test Lab used over 210,000 clean Linux files scanned by all the products. Only Comodo issued a false alarm on just one file, so good results for everybody.

Lesson Learned

Consider a computer system totally secure is a great error, most Linux users are convinced that they are immune to cyber threats.

“Because it is occasional unsafe third-party applications or user errors that can turn Linux PCs or servers into virus cesspools. This is also confirmed by the latest study by Kaspersky for the first quarter of 2015: over 12,700 attacks were launched via botnets, using a Linux system as their basis, by contrast only 10,300 attacks came from botnets with a Windows system. What’s more, the life cycle of Linux-based botnets is much longer than those based on Windows. This is because it is much more difficult to ferret out and neutralize zombie networks such as these, as servers under Linux are seldom equipped with special protection solutions – unlike devices and servers under Windows.” states AV-Test.

Linux security solution tests

The AV-Test highlight that in many Linux forums, the freeware products from Comodo, ClamAV and F-Prot are recommended for private users, but the above results demonstrate the opposite. Freeware versions of Sophos for Linux or Bitdefender Antivirus Scanner for Unices are more secure for desktop machines,  meanwhile for server systems it is suggested to use the freeware AVG Server Edition for Linux.

Let me close with the final statement from the experts at AV-Test Lab:

“In this test, the best detection rates in terms of Linux and Windows were exhibited by the desktop solution from ESET, followed by Symantec and Kaspersky Lab endpoint versions for company workstations. Recommended for server protection are Kaspersky Anti-Virus for Linux File Server, AVG Server Edition for Linux and Avast File Server Security.”

Pierluigi Paganini

(Security Affairs – AV-Test, Linux)

you might also like

leave a comment