Choosing a good antivirus for linux

This post is the second in a series of posts about setting up a good antivirus for linux. The need for this is discussed in my previous post. This post deals with the factors that influenced my choice of an antivirus. For details about setting up the antivirus, see my next few posts.

So as I said in my previous post, the wine installation on my linux box was infected with a virus and thus I decided to get an antivirus. The points I considered while choosing my antivirus were:

1. The program should be free - free as in free beer (monetarily).
2. It should preferably be open sourced.
   
3. It should not be resource-hungry. It should not slow down my computer. After all, I am running linux (Ubuntu 7.04) and a resource hogging antivirus for linux is kind of an oxymoron.
4. It's scanning engine should be fast.
   
5. It should have a provision of receiving updates over the internet. The release frequency of these updates should be high. Preferably, there should be a provision for updating using command-line (terminal) so that automatic updates can be configured easily using cron.
6. The updates should preferably be differential - which makes them much smaller and hence they download faster.
   
7. It should have all standard features of a good antivirus - heuristic scanning, scanning archives, ability to define custom tests etc.
8. It should support on-close or on-access scanning. Preferably, there should be an option to limit this to certain directories so that the overall impact on system performance is minimized.
9. It should be able to function as an email scanner for desktop (non-mailserver) use. That is, it should be able to work with mutt / pine / thunderbird / evolution and other commonly used clients and scan email messages for viruses.
10. It should be able to quarantine / heal infected files.
11. The program should have a good command-line interface so that piping its output to other scripts etc. becomes easy. This vastly increases the power of the program as one can write scripts that can move infected files to a safe directory, make them non-executable etc. A GUI is also preferred , but not a must.

Considering these, I hold the opinion that:

• Norton / Symantec, NOD32, McAfee fail on at least 1, 2, 3
• Avast! free edition fails on the cron part of 5 and also on at least 2, 6, 8.

Thus, good alternatives left are ClamAV / KlamAV and AVG free edition for linux. I decided to install AVG. At this point I must admit that I was a little biased towards AVG because of past experience on a windows machine. However I did try to sort out this case objectively. I did dry out ClamAV + KlamAV first.

ClamAV + KlamAV satisfy 1, 2, 3, 5, 6, 7, 9, 11 but not 4 IMHO. About 8, the feature exists, (it took me a while to figure out how to configure the on close scanning on Ubuntu Linux 7.04 - I will write a post soon on how I managed to get it to work) but on my machine, I found the scanning engine to be slow and that directly affects 8 and reduces its usability. Consider my experience: I use Ubuntu 7.04 and in particular, nautilus. Nautilus shows previews of .txt, pdf, avi etc files as their icon. Now, when on-access scanning is on and all the files in a folder have not been scanned, nautilus waits for them to be scanned and what happens is that if the scanning engine / daemon is slow, after clicking on the icon of a folder having lots of items, I have to wait for quite a while before anything opens to a usable level. This is very annoying.

You might ask why I need on-close / on-access scanning on a linux machine in the first place. Well, I thought it would be good to have it because then I can configure it to automatically scan places in /media, /mnt and also .wine so that whenever any removable media is used on my computer, it will be scanned automatically. Also, I thought that I could discipline myself and other users to download stuff to only certain directories and enable on-close / on-access scanning in them. I believe that this is a pretty good way of securing against viruses - I did manage to get all this working and then tested my system with 3 known virus (apart from the good old eicar test file) and none of them could be copied / run (wine) / accessed from my box. As I said, I will post the details soon.

About 10, the quarantine feature exists, but to the best of my knowledge, the heal feature does not. Also, the method of quarantine is to move the infected file to a directory and change its permissions so that an ordinary user cannot access it. I am not very sure that this is the best way of quarantining - encrypting the files in some way and then changing the permissions would have made me happier.

Now about AVG: AVG fails on 2 and 9 - I managed to get all other aspects, including quarantine and healing to work. (I mention this because the official support forum says this is not possible.) I think there is a way to implement 9 using p3scan (a transparent mail proxy which uses iptables for redirection) but I haven't tested it. I will work on it when I find more time, but it is pretty low on the priority list because all the mail I receive is already scanned by someone else - MIT or Gmail or my home ISP. If you have got p3scan to work, please email me the details / post them as a comment and I will update my post to mention the details and give credit to you for your contribution.

About 2: I would love to use an open source program. I do not consider myself to be a comparable programmer to the clamav guys who are doing a great job, but nevertheless, I am trying to contribute - I am currently studying the clamav source and cvd (signature) files.

I hope this post explains my reasons for the choice of AVG and gains your trust while making it clear that I am not being paid by AVG guys to advertise. In my next post, I will write about the technical details of configuring the antivirus and in particular, about getting the on-close / on-access scanning feature to work. I will try to be both specific to AVG and also fairly general - thus if you decide to choose a different antivirus, my post may still be useful!