Estimates vary, but generally it is believed that there are 100 to 500 Linux viruses out there. The tiny number of Linux viruses that do exist have never resulted in a significant outbreak. In comparison to the plethora of viruses and worms in Windows-based platforms, the volume of Linux viruses is insignificant. So this leads us to two questions: why are there so few Linux viruses and are Linux anti-virus tools necessary?
The answer to the first question has a lot to do with the differences between Linux and Windows desktops. Linux hosts are an unwelcoming environment for a virus because the multi-user access controlled model makes traditional virus propagation methods problematic.
Let's look at an example:
Virus attacks often start with the victim receiving an email containing a malicious attachment. If the user attempts to execute the attachment on a Windows platform, it will run if it has a suitable file extension, appropriate executable content or configured to be executed by association with a particular application. Even worse, some clever Windows-based viruses don't even require the user to execute the attachment. Viruses can be activated by merely reading the email containing it. As users of many Windows-based hosts, especially Windows XP, are also running with local administration rights, the virus may potentially infect and subvert the entire host.
Let's compare that to a similar attack on a Linux host. First, the attachment simply won't execute because of the Linux permissions model. The attachment must have execute permissions to run, so our user needs to detach the attachment and change its permissions before running it. But there is still no guarantee that the attachment will infect the host as the attachment only executes with the access of the user running it. Unless the user is neophyte who is running as the root user, something no Linux distribution does "out of the box", then the potential for substantial damage to the host is limited.
But while a Linux desktop might be difficult to infect, some security vendors have made the argument that a threat still exists in mixed Linux and Windows environments. In these environments, files may be shared between hosts or documents between Microsoft Office and its open source variants like OpenOffice. A virus-infected file might not be able to harm our Linux desktop but it could be shared to a vulnerable Windows desktop. While there may be some merit to this argument, I don't believe the risk is sufficient to merit the installation of a Linux desktop anti-virus tool. Continued deployment of standard anti-virus applications on file servers and mail gateways make more sense than large-scale deployments of anti-virus to Linux desktops.
Instead of deploying anti-virus on Linux desktops, managers should spend their security dollars on more appropriate, basic security precautions to counter the threats that currently exist. There is no excuse not to take precautions such as enabling a firewall, choosing strong passwords, ensuring your host is locked down and keeping up to date with patching and updates.
Lastly, it is always important to note that security is not a static product or state, rather than a process with a lifecycle. Keep abreast of threats and ensure you have an understanding of the trends in virus development, especially whether any of those trends have the potential to impact the Linux platform.
About the author: James Turnbull is the author of Pro Nagios 2.0. and Hardening Linux. A security architect for the National Australia Bank, James is the resident security expert for SearchEnterpriseLinux.com. Recently, James discussed how to use iptables against SSH attacks