Harry Bone's "What is malware?"


Two main "modes":

  • Real-time / constantly-active protection (catches every file write or download and scans it).

    Could be disk-only (catches file writes) or also wired into the browser (to prevent access to known-dangerous web sites) and email (to scan attachments).

    Set it to update automatically.

  • User-initiated / manual-scan (user runs a full-disk scan every week or two, or user right-clicks on a suspicious file and selects "scan it").

Two main "sources":
  • Supplied by the OS vendor. Usually best; doesn't destabilize or increase attack-surface of the system.

  • Third-party (a separate app / service you install into the system).

Prevention / detection:


A "keylogger" may do one or more of these:
  • Capture keystrokes as you type them.

  • Capture the contents of your clipboard.

  • Capture screenshots.

  • Capture input from your computer's camera and microphone.

A keylogger may:
  • Log the data into a log file.

  • Email the data to somewhere.

  • Send the data across the internet to somewhere.

There seem to be three types of keylogger:
  • Hardware: some device attached to your computer or keyboard or installed into it.

  • Software: an application and/or service installed on your computer. It may try to hide in various ways, not showing up in list of installed apps, or choosing a name similar to a standard app or service.

  • Rootkit: software installed into the firmware of your computer, or the boot loader of your OS, or the kernel of your OS.

Detect or defend against keyloggers:
+/- On Windows, I used AVG (free) and Malwarebytes (free). But I found that AVG and MWB (with RTP) don't stop/report keylogging as tested by AKLT. [And when AVG and MWB got more aggressive about change-to-paid-version pop-up ads, I got rid of them and now just rely on Windows Defender.]


From someone on reddit's /r/Windscribe:
> I've recently signed up for Windscribe VPN (firewall enabled).
> I have an ASUS RT-AC66U router (firewall enabled),
> and on top of that Norton Security with its built-in
> super aggro "smart firewall". All of this seems a bit
> redundant and ridiculous.

Windscribe firewall blocks traffic that tries to go outside of the VPN, including if the server you're connected to goes down. It's different from a program/port firewall that allows or blocks certain traffic completely based on a ruleset.

Your Norton firewall is designed to prevent malicious programs from calling home to download more malware or upload your information.

Your router firewall is designed to prevent open ports from being abused by programs or attackers.

Windscribe firewall is designed to prevent your traffic from going through the normal unencrypted route to your ISP. If the connection drops for some reason nothing will get through because the Windscribe firewall blocked all other ways in or out.

So the three serve different purposes (the router and Norton firewalls overlap a bit but they still do different things).

Gufw (Linux only)
GlassWire (Android)
Snigdha's "Best Firewall Software For Windows"
Kamrul Hasan's "Best Firewall for Windows 10 PC"
Windows Defender firewall works even if you have another firewall running.
NetLimiter (Windows)
simplewall (Windows)
Evorim Firewall (Windows): per-app controls.
Portmaster (Windows, Linux): per-app controls.

'Normal' apps or services

Many legitimate standard apps or services, if set incorrectly, or set maliciously without your consent, could be used to spy on you or track you.

For example, Google Maps on your phone will let you share your location with other people, maybe with your spouse or children. That's fine if you consent to that and know you're doing that. It's bad if you're having issues with your spouse and they turn that on without your consent.

Various browsers and operating systems can be set to collect data about your behavior and report it to the manufacturer (usually called "telemetry"). Maybe the data is anonymized. Maybe it is limited to just crash reports. Or maybe it includes what sites you visit and what searches you do, even local searching of the hard disk. Check those settings. [Windows 10 in particular has an astonishing amount of this (article1), but you can turn most of it off, I think: article2. Or change OS to Windows 10 Ameliorated]

But see Chris Hoffman's "Stop Criticizing Apps for 'Phoning Home'. Instead, Ask Why"

Suppose you install a remote-access application, or open an incoming VPN connection, so that you can access your home computer from work if you need to. But accidentally you allow anyone on the internet to access it, or someone in your house turns on access for themselves without your consent.

A "sync" feature that automatically copies data among your devices is multiplying the places your data could be stolen. Smartphones tend to have the worst security, so syncing data from laptop to phone is weakening security. For example: "... Apple's universal clipboard functionality, which means that anything I copy on my Mac or iPad can be read by my iPhone, and vice versa. So, if TikTok is active on your phone while you work, the app can basically read anything and everything you copy on another device: passwords, work documents, sensitive emails, financial information. Anything." from Zak Doffman article.
Ctrl blog's "Your clipboard is only as secure as your device"
Mozilla Security Blog's "Preventing secrets from leaking through Clipboard"

I don't think any of the anti-virus scanners will report such settings to you as "potentially unwanted".


For every product, you can find detractors. It slows down the system, increases the attack surface, runs at too high a privilege level, has a history of exploits, gives too many false positives, etc. Most of the criticisms apply more to the real-time mode rather than the manual mode.

Some say AV is not needed on Linux:
Some people say there is no risk of malware on Linux, but this is less true every year. Now that most of the world's web servers and most of the IoT devices are running some form of Unix/Linux, attacks and malware are becoming more and more common. Now that home users spend 90% of their time in a browser, browser and browser add-on exploits are a big risk. Attack surfaces such as code/macro engines inside "smart" documents such as MS Office and PDF documents, or inside email clients, are similar on Linux to those in any other OS. Java, JavaScript, Python, Electron, Docker, etc, everything is trying to become cross-platform. A browser exploit probably doesn't care what underlying OS you're running.

From someone on reddit 3/2019:
Cybersecurity blue team here, in the wild we probably see more Linux payloads than we do Windows due to the high number of servers that run enterprise Linux. That being said, botnet attacks and scripted exploits normally drop and try to execute both Windows and Linux versions of the same payload which is super scary to see. Linux doesn't protect you from viruses at all. In fact, thinking you're more secure just for running Linux is deluded, new privilege escalations are released almost daily. If you stay on top of it, you could own someone's laptop pretty trivially with some help from exploit-db.

From /u/longm0de on reddit 2/2020:
I have an experimental Win10 laptop that I keep up to date with Defender disabled through WinRE with no other anti-malware, and I haven't had a single malware enter my system in years, I've even purposefully downloaded malware. I've even run it knowing its limitations by limiting it to a single user and without administrator privileges without my system ever being screwed. Linux users will claim similar things such as not having malware ever since switching over. The commonality here? Both of our points are anecdotal as there is always the right tool for a job, and anti-malware software works great for protecting users.


Linux is multi-user so it is more secure ? Windows is multi-user as well. Win 1x,2x,3x,95/98/ME are from a different lineage of Windows. Windows NT was launched in 1993 and used the kernel which Windows still uses (of course, upgraded) today, which is rooted in OpenVMS and inherits a lot of the stability, robustness, multi-user features, and security that it had. It's not built from DOS in any way shape or form. Windows is a secure multi-user operating system. Many "consumer friendly" distributions such as Ubuntu give you access to read/write to other user directories without root access. This will NEVER happen by default on "Windoze".

Easy Linux tips project's "Security in Linux Mint: an explanation and some tips" strongly advises NOT installing anti-virus software, and gives reasons.

Also see:
Catalin Cimpanu's "ESET discovers 21 new Linux malware families"
Paolo Rovelli's "Don't believe these four myths about Linux security"
Luke Rawlins' "Does Linux Need Antivirus?"
Wikipedia's "Linux malware"

Moe Long's "The 7 Best Free Linux Anti-Virus Programs"
Tecmint's "The 8 Best Free Anti-Virus Programs for Linux"
Wikipedia's "Linux malware"

File Integrity Checkers:
Scan system files and report any changes, which might be due to malware.

  • AIDE:
    Takes a snapshot of your files and directories at a supposedly "good" state and then checks for any later changes.

    Software Manager lists a "static" version and a "dynamic" version. No explanation of the difference. I installed the "dynamic" version. Nothing happened, no app called "aide" visible anywhere. Thought of installing the "static" version, and it says it will uninstall the "dynamic" version. Finally found it under "man aide".

    Did "sudo aide --init", got "Couldn't open file /var/lib/aide/please-dont-call-aide-without-parameters/ for writing". "sudo aide --config-check" gives nothing. "aide --version" says 'CONFIG_FILE = "/dev/null"'.

    Read some threads online, tried "sudo apt install aide aide-common". It said it's removing aide-dynamic. Was asked to select email type; chose "no configuration". Then it configured a LOT of stuff. Ended and I'm not sure what to do. Tried "aide --check" and "aide --init", got same error message as before.

    Tried "sudo aide.wrapper --init" per a thread, got various configuration-file errors.

    Also saw in a thread "The explanation can be found in /usr/share/doc/aide-common/README.Debian.gz" which seems unpromising. Looked in there, it says aide is intended to be run as a daily cron job, so if you run from CLI you have to supply your own config file, it wants to send email to root, etc. Gave up on it at this point. Did "sudo apt remove aide-common aide" to get rid of it.

  • Open Source Tripwire:
    Michael Kwaku Aboagye's "Securing the Linux filesystem with Tripwire"
    Takes a snapshot of your files and directories at a supposedly "good" state and then checks for any later changes.

    Installed it through Software Manager. Let it create passphrases etc. Ran "sudo tripwire --init --verbose", and it asks for my "local passphrase", which I don't know. Eventually hit on "nothing" (Enter), and that worked. It started checking lots of files, but ended up in the "/proc" territory and died with "Software interrupt forced exit: Segmentation Fault [1] 6004 segmentation fault". Went into Software Manager and removed it.

  • Samhain:
    Takes a snapshot of your files and directories at a supposedly "good" state and then checks for any later changes. Also log file monitoring and analysis, rootkit detection, port monitoring, more.

    Installed it through Software Manager. But installation failed with
    "Job for samhain.service failed because a timeout was exceeded.
    See "sudo systemctl status samhain.service --full --lines 1000" and "journalctl -xe" for details.
    invoke-rc.d: initscript samhain, action "start" failed."

    Then tried "sudo apt samhain" and that threw an error.
    Did "sudo samhain -t update" and that threw errors.

    But then my disk was pegged, 100% usage, and stayed that way for 2+ hours, with no sign of stopping. Rebooted, it continued. Uninstalled samhain, and it stopped.

  • Incron:

  • Monit:

  • Afick:

  • debsums:
    Checks the md5-sums of your system-files against the hashes in the respective repos.
    sudo apt install debsums
    sudo debsums -ac

  • SysConfCollect (SCC):
    Checks for changes in files and config settings and much more.

    System Configuration Collector
    SCC Home

    Linux desktop README and modules I created: BillDietrich / SCC-Additions-for-Desktop-Linux

    Later updated SCC by downloading a .src.tar.gz from Extract files from it, cd into it, read the README, do "sudo ./scc-install"

    Added to .profile:
    export MANPATH="/opt/scc/man:$MANPATH"

  • fs-verity:
    A kernel module, coming in 2022 ?
    Fedora Wiki's "Changes/FsVerityRPM"

  • Snapper and filesystem snapshots:
    Use Snapper to compare two snapshots in a filesystem such as Btrfs.
    openSUSE: Snapper Tutorial

Testing your Anti-Virus

Michael Allen's "How to make sure your antivirus is working without any malware" (Windows)
EICAR Standard Anti-Virus Test File
Fortinet's "Test Your Metal" (browser fetches bad files from server, see if firewall or AV etc stops it)
Atomic Red Team

Web site that does various tests: AMTSO Security Features Check Tools

Where to get virus samples, to check your AV ?
greg5678 / Malware-Samples (Linux only)
Packet Storm's "Unix rootkits" (have to compile some from source)

Run a test program that does keylogging and see if your software detects/stops it:
Mike Williams' "How to test anti-keylogger software"
SpyShelter's "Security Test Tool"

Install a real keylogger and see if your software detects it:
Spyrix Free Keylogger
Revealer Keylogger Free
lkl, uberkey, THC-vlogger, PyKeylogger, logkeys.

Malware Removal


Aurelian Neagu's "10 Warning Signs That Your Computer is Malware Infected"

Humor: CyberWire's "The Malware Mash" (video)