AV-Test – Which is the best Antivirus for Linux systems?

The Independent AV-Test Institute has analyzed 16 Linux security solutions against Windows and Linux threats under Ubuntu. The results are disconcerting.

The result of the tests on Linux security solutions demonstrates that many Linux machines are vulnerable to cyber attacks, let’s consider to billions of internet users that daily access Web servers.

In many cases, these machines work in networking with Windows systems and according to the tests they aren’t not immune to the infection despite the security solutions.

“A successful attack normally does not infect the system or the kernel. Rather, it focuses on the applications running on the Linux PC or Web server. They can be more easily hijacked or harnessed as a means to replicate. Major hacker attacks have already been carried out on Web servers via SQL injection or cross-site scripting.” states the analysis published by AV-Test.” But desktop PCs with Linux are also an attractive target. After all, running applications with security gaps are found there as well, e.g. the Firefox browser or tools such as the Adobe Reader.”

There are various opportunities for hackers that target hybrid networks, a malware can compromise a Linux machine or use it as storage of infected files waiting for the opportunity to spread it on connected Windows systems.

“To do so, it is often sufficient to copy files from a Linux environment to Windows.” 

Despite the trojans specifically designed to compromise Linux systems doesn’t appear so sophisticated, the most frequent attack scenario involves victims installing software or updates via third-party package sources, a procedure that is used by assigning root rights.

This attacker can exploit the root privileges in order to establish a backdoor into the system.

The AV-TEST evaluates 16 protection solutions for Linux systems, most solutions are intended for desktop PCs, the rest for servers. The experts focused the analysis on the Ubuntu distribution (desktop 12.04 LTS 64 bit version) that is the most widely used package.

AV-Test tested the following security solutions:

  • Avast
  • AVG
  • Bitdefender
  • ClamAV
  • Comodo
  • Dr. Web
  • eScan
  • ESET
  • F-Prot
  • F-Secure
  • G Data
  • Kaspersky Lab (with two versions)
  • McAfee
  • Sophos
  • Symantec

The experts split test session into three distinct parts, the detection of Windows malware, the detection of Linux malware and the test for false positives.

Detection of Windows malware

A total of eight out of 16 products detected between 99.7 and 99.9% of the 12,000 Windows threat used in the test: Avast, F-Secure, Bitdefender, ESET, eScan, G Data, Kaspersky Lab (server version) and Sophos.

Only the security package from Symantec achieved 100%.

McAfee obtained a rate of 85.1% and Comodo 83%. Bitter results for Dr. Web with 67.8%, disconcerting the data related the detection of F-Prot with 22.1% and ClamAV with only 15.3%!

Detection of Linux malware

The experts at AV-Test tested the systems against 900 actually already known attackers for Linux.

Only Kaspersky Endpoint Version achieved 100-percent detection under Linux.

Good results for ESET with 99.7 percent and AVG still reached 99 percent. The server versions of Kaspersky Lab and Avast do in fact recognize over 98 percent of the attackers. Symantec, that resulted the best in detecting the Windows threat, finds 97.2 percent of the malware under Linux.

Also in this case other results were disconcerting!

“Coming in at the bottom of the list in detection of Linux malware threats are ClamAV, McAfee, Comodo and F-Prot. Their rates ranged between 66.1 and 23 percent. This means that in the worst case, 77 out of 100 threats simply remain undetected despite protection software under Linux.” states the analysis. 

False positives

The AV-Test Lab used over 210,000 clean Linux files scanned by all the products. Only Comodo issued a false alarm on just one file, so good results for everybody.

Lesson Learned

Consider a computer system totally secure is a great error, most Linux users are convinced that they are immune to cyber threats.

“Because it is occasional unsafe third-party applications or user errors that can turn Linux PCs or servers into virus cesspools. This is also confirmed by the latest study by Kaspersky for the first quarter of 2015: over 12,700 attacks were launched via botnets, using a Linux system as their basis, by contrast only 10,300 attacks came from botnets with a Windows system. What’s more, the life cycle of Linux-based botnets is much longer than those based on Windows. This is because it is much more difficult to ferret out and neutralize zombie networks such as these, as servers under Linux are seldom equipped with special protection solutions – unlike devices and servers under Windows.” states AV-Test.

The AV-Test highlight that in many Linux forums, the freeware products from Comodo, ClamAV and F-Prot are recommended for private users, but the above results demonstrate the opposite. Freeware versions of Sophos for Linux or Bitdefender Antivirus Scanner for Unices are more secure for desktop machines,  meanwhile for server systems it is suggested to use the freeware AVG Server Edition for Linux.

Let me close with the final statement from the experts at AV-Test Lab:

“In this test, the best detection rates in terms of Linux and Windows were exhibited by the desktop solution from ESET, followed by Symantec and Kaspersky Lab endpoint versions for company workstations. Recommended for server protection are Kaspersky Anti-Virus for Linux File Server, AVG Server Edition for Linux and Avast File Server Security.”

Pierluigi Paganini

(Security Affairs – AV-Test, Linux)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Threat actor attempts to sell 30 million customer records allegedly stolen from TEG

A threat actor is offering for sale customer data allegedly stolen from the Australia-based live…

4 hours ago

Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…

16 hours ago

Threat actors are actively exploiting SolarWinds Serv-U bug CVE-2024-28995

Threat actors are actively exploiting a recently discovered vulnerability in SolarWinds Serv-U software using publicly…

17 hours ago

US government sanctions twelve Kaspersky Lab executives

The Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned twelve Kaspersky Lab executives for their…

1 day ago

Experts found a bug in the Linux version of RansomHub ransomware

The RansomHub ransomware operators added a Linux encryptor to their arsenal, the version targets VMware…

2 days ago

UEFICANHAZBUFFEROVERFLOW flaw in Phoenix SecureCore UEFI firmware potentially impacts hundreds of PC and server models

A serious vulnerability (CVE-2024-0762) in the Phoenix SecureCore UEFI firmware potentially impacts hundreds of PC…

3 days ago

This website uses cookies.