Roundup Antivirus software Roundup Every month we compare tons of software so you don’t have to!

ClamAV 0.95.3 ClamTk 4.21 KlamAV 0.46 Antivirus software Hoping to stay healthy, Nick Veitch gets forensic on the available programs.

How we tested...

Although we advocate reading all the documentation and taking care with config files, for this test we’ve done as little tuning of the software as possible – the defaults should be good enough to keep a computer safe. We employed the virus test suite, as developed by EICAR (www.eicar.org/anti_virus_test_ file.htm), the European security organisation. There’s nothing tricky here; effectively it’s just a pseudo-viral text string that should be easy for all the scanners to pick up. It’s provided in several formats, including plain text and Zip files. To complicate things further we included a few large RAW photos, plus the virus test files encoded in a tarball and hidden within an ISO image.

Our retty much every user thinking that Linux is immune is that For the most part, we expect virus selection thinks they’re immune to sooner or later, something like this checkers to run without us noticing that viruses, but they’re wrong. happens, and you’ll have no protection. they’re there, to consume no resources AVG Free p31 Just recently, malware was Yes, 99% of the time you won’t need it. and just get on with things. Extra points Antivir P Pro p31 found hidden inside an innocuous- Maybe even 99.9% of the time. But if a are awarded to software that comes ClamAV p32 looking Gnome theme from a reputable virus checker saves you just once a close to this ideal, while they’re p32 site. Users who installed the theme also year, we think that’s a good enough deducted for difficult installs, weak ClamTk p33 got several scripts installed as root that reason to install one. documentation and poor performance. p33 were designed to attack internet Of course, there are other good Many of the clients on test make use p34 targets, but it could easily have been reasons, not least that you don’t want to of Dazuko, which is a kernel module much worse. You see, the problem with be blamed in the flame-fest that would designed to give on-access notifications result if you accidentally forwarded a to userland software – so when you virus to your Windows-loving friends. open a file, the module passes the “You don’t want to be For seconds, even if the virus doesn’t details to any service that wants to blamed for forwarding a affect you, wouldn’t you at least like to know. Some of the checkers rely on an know that it had somehow made its old version of Dazuko; we’ve made a virus to your friends.” way on to your precious Linux box? note of these in the review text.

30 LXF128 February 2010 www.linuxformat.com

LXF128.round 30 14/12/09 11:48:17 am Roundup Antivirus software Antivirus software Roundup

AVG Free Long-established virus scanning provided free for Linux.

roducts bearing the AVG name of being thorough. Surprisingly, the have a reasonable history in software failed to find the zipped Pantivirus software, stretching versions of the virus test file. Since the back to 1992. Linux/Unix systems were test file has been around for years, this only added to the lineup in version 7.5 is pretty inexcusable – it shouldn’t be at and now lag behind the Windows all hard to find. The only reasonable version (at 9.0), having only had a few explanation is that perhaps the updates. Installing the free client is software is misconfigured. As part of pretty straightforward, no matter what our tests, we do the minimum amount system you’re using, because there are of configuration to get the program to packages freely available in RPM, run. In a production environment, you and tarball formats. Installing the tarball might want to investigate the docs and might be a slight pain, but as it’s binary, the various settings, but even if you did, there’s no need to worry about AVG Free’s documentation is scantier compiling this, that and the other. than a minuscule bikini. AVG Free isn’t Unlike many of the apps here, Because of the difficulty in making well-documented Verdict there’s no GUI for this software. It’s sure the system is configured and or easy to set designed to be run as a system working, as well as the poor results in up, but it works, AVG Free some of the time. daemon to scan your files on schedule finding viruses, this wouldn’t be one we Version: 8.5 Website: http://free.avg.com or on demand. There’s an option for could recommend for desktop use. Price: Free on-demand checking with the Dazuko It performs so poorly and comes kernel module. Starting the daemon is “In terms of speed, AVG with such minimal documentation easy if you have some sysadmin skills, that it’s not worth it, even if it is free. and it can be configured to run at boot. did well, at the expense In terms of speed, AVG Free did pretty well, but perhaps at the expense of being thorough.” Rating 2/10 Avira Antivir Professional Command line scanner with a really low overhead.

vira Antivir, if you can get past believe that nothing had happened, but the avoidably ugly name, lives in the scanner identified all of our infected Athe shady realms of the files and offered to quarantine them. command line, though it needs no real The default settings seem good knowledge of Bash to install or use. enough and the virus database is kept Download the archive and run the well up to date, so you needn’t fear that install script within to set everything up. you need to be extra vigilant in the There follows a series of questions configuration. It works impressively about which options are to be installed, quickly – it’s just a shame that the whether to use the scan-on-access on-access scanning isn’t available for service (which requires Dazuko) and modern kernels. where you’ve put your keyfile. The latter Avira does have free versions of its was the only hitch on installing. For other antivirus software, but all the reasons still unclear, the website Linux versions come under the It’s impressive provided us with a trial key, but it didn’t Professional department, so there’s no in speed and low Verdict work. If you have the same problem, dispensation if you’re a non-business resource use, but pretend you live in the USA… user. That said, the licensing structure not really in the Avira Antivir Professional Once we had it installed, we noticed doesn’t make it expensive: £25 for a results stakes. Version: 3.0.5 the presence of a configuration file and year-long single-user licence. Website: www.avira.com Price: £25 daemons automatically being installed Pretty average all-round, and not to run the software on startup. Running “The website provided worth paying for when there are the test scan was surprising – the better alternatives out there. software seemed to be instantaneous, us with a trial key, but and barely took up any memory or CPU cycles at all. It would have been easy to it didn’t work.” Rating 5/10

www.tuxradar.com February 2010 LXF128 31

LXF128.round 31 14/12/09 11:48:17 am Roundup Antivirus software Antivirus software Roundup

ClamAV Flying the flag for open source antivirus software.

lamAV was originally developed to scan at regular intervals or watch as a mail scanner, and there are certain places. Like some of the other Cplenty of configuration options software included here, it can be and tools for integrating it into your configured to offer on-access scanning local mailserver. For the same reason, it (including, thanks to it being open also supports a lot of archive formats source, support for the latest version of that are commonly used for email Dazuko) and there’s useful guidance on attachments, though some of these how to enable this on the ClamAV site. may have been disabled if you installed The major disappointment with ClamAV through a distro package. ClamAV was its failure to scan the ISO It isn’t complicated to compile, since image file properly. This was a bit the source is well documented, doesn’t confusing, because the software did have a great deal of demands in terms once support ISO file scanning, though of third-party libraries and gives you the a search through the documentation Compiling opportunity to ensure the options you now reveals no clues. As we had a ClamAV yourself want are installed. testing policy of using defaults, it would enables you to Verdict Once installed, ClamAV consists of have been unfair on the other software get the features two main parts. Clamscan is the to mess around too much. Suffice to you want. ClamAV command line tool to scan whatever say, there didn’t seem to be a simple Version: 0.95.3 Website: www.clamav.net you point it at. As with most commands, way of getting this to work. Price: Free there’s a host of switches to control This gets great kudos for being behaviour and, among other things, this open source, but loses points for accounts for its versatility. “The disappointment failing the ISO test. The second part to ClamAV is was its failure to scan clamd, the daemon process that runs in Rating 8/10 the background and can be configured the ISO image file.” Sophos Anti-Virus The antivirus heavyweights continue to support Linux – but is it worth it?

K-based Sophos has come to interface for a simple lookup via HTTP, be a recognisable name in the there’s also a Webmin module for Uworld of business-oriented Sophos. Webmin is a web-based antivirus software. Earlier versions of sysadmin tool, which for many years Sophos have appeared in the pages of was a popular way of running remote LXF and fared well, so it’s good to see machines and servers, so this adds that Sophos continues to support Linux. some weight to Sophos’s claim of being This software is commercial and an integrated and manageable solution. there are no freebies for desktop users, Running scans from the shell is no but there’s a trial version available. problem and a shell client lends itself to Although the install script gamely being scriptable and run via a Cron job suggests that it’s trying to build the at an appropriate time of day. on-access support for the kernel, it’s Although not the fastest on test, it sadly trying to build an old 2.x module wasn’t that slow or cumbersome either. The Sophos for Dazuko. It’s hard in many repescts Sadly, for something that seemed so client software is Verdict for the developers – they want to large, Sophos also failed the virus test, accessible via support the business and server distros, with the usual flaw of not checking the command Sophos Anti-Virus so they’ve opted for 2.x support. inside the ISO files – which is odd, line only. Version: 4.47 Unfortunately, 2.x won’t work with the because the scan took long enough. Website: www.sophos.com Price: £67 latest kernels, so eventually the Corporate scanning, but it isn’t as software is going to need to support 3.x. “A shell client lends comprehensive as you might hope Sophos has an interesting collection and again failed the ISO test. of interfaces. Your scanning can be itself to being scriptable viewed and manipulated remotely over the web. As well as its own server and run via a Cron job.” Rating 4/10

32 LXF128 February 2010 www.linuxformat.com

LXF128.round 32 14/12/09 11:48:18 am Roundup Antivirus software Antivirus software Roundup

ClamTk Flying the flag for open source antivirus software. The one with GTK and .

lamTk is almost the default carries ClamAV, though there’s a quick front-end to clamscan, in that note for Fedora users: for some reason Ceven distros that prefer KDE to the package currently showing for Gnome often install it, so it must have Fedora 12 is old and doesn’t actually something going for it. work, but you can get an RPM built by When it runs, this tool will check for the developer at the ClamTk website. If the current version of itself, the ClamAV you want to build it from source, you’ll back-end and virus signature files, need little other than up-to-date Perl displaying the results in an easily- libraries and the standard GTK stuff. understood status table. Buttons along A new feature is an option to restore the top give quick access to the files you might inadvertently have scanning functions, while various quarantined, but later want to let out options can be turned on and off via the again. It’s hard to imagine this was top switches below. You may prefer to use of the ‘must have’ list for users, but on the menu for some operations, but the other hand, this small and simple ClamTk has a there isn’t a lot that can go wrong with GUI client isn’t missing much at all. simple interface Verdict this simple client. Obviously, with either of the that enables One feature worth noting is the graphical clients running on top of straightforward ClamTk virus scanning. searchable history log, which tracks any ClamAV, the resource usage rises a Version: 4.2 Website: http://clamtk.sourceforge.net previous naughtiness and what files little, but as ClamTk makes use of Price: Free were involved, though it lacks some of standard GTK libraries, it isn’t really Simple GTK interface makes the useful features of other front-ends going to add much to the bill. There’s a scanning straightforward and easy, such as KlamAV. minimal amount of extra memory despite the lack of frills. As the most popular front-end to consumed and the difference in speed ClamAV, you’ll find up-to-date packages wasn’t measurable, so Perl and GTK in almost every distro repository that was obviously a good decision. Rating 8/10 Avast Harrrr! Splice the mainbrace and stand by to repel boarders, me hearties!

his nautically-themed gem may pays dividends: Avast managed to find not be top of your list when you all of our hidden fake-viruses, even Tthink about antivirus software, though it had to search through a Zip but the developer – Czech-based Alwil – file embedded in an ISO image to has been creating antivirus tools since complete the set. A curious follow-on to 1991, so there’s a pedigree here. This the Jolly-Jack-tar theme they have version mirrors Alwil’s Windows going on is that quarantined viruses are software in terms of features, and is stored in what they call a chest, which is available free of charge for personal use. all very amusing once you get the hang Downloads come from the website of what’s going on. Handily, you can as RPM, Deb or binary archives for the also keep a list of commonly scanned Linux version and all are pretty easy to locations for quick checking. install. As you might expect with The command line tool is simple to commercially-oriented software, there use. Run it with no options to see the We’ve caught are few dependencies, but the GUI does switches available. Unusually, this has something! Even Verdict make use of the GTK libraries, and the fine control of the archive formats though we did put resulting app looks rather Gnome-like supported (like ClamAV ) so if you want it in there in the Avast and not at all dissimilar to ClamTk. to do some very specific scanning, this first place. Version: 1.3 Scanning manually using the may be the one to pick. Website: www.avast.com Price: Free graphical interface, you’ll see a few A definite winner on talk-like-a- extra buttons. Select the Thorough “Handily, you can keep pirate day, and actually, it’s pretty option – if you’re not being thorough, good the rest of the time too. you may as well not bother. Engaging a list of commonly this mode does pretty much double the time it takes to perform a test, but it scanned locations.” Rating 9/10

www.tuxradar.com February 2010 LXF128 33

LXF128.round 33 14/12/09 11:48:18 am Roundup Antivirus software Antivirus software Roundup BitDefender Glitzy and glamorous, and it delivers the goods.

itDefender is a reputable A helpful tip security company, and this of the day pops Bantivirus solution sits within a up over the UI’s giant cluster of antivirus software for gigantic buttons. different platforms. This version is provided free of charge for personal desktop users. You have to register first and get a trial key, which can then be turned into a proper keyfile if you’re accepted. The real keyfile will last for about six months, at which point you can simply sign up and get another one. Running the GUI is a slight surprise. It’s built using custom widgets, so although it’s essentially leveraging GTK, there is nothing very Gnome, KDE or even Linux-like about it. That said, it’s easy to navigate and use. The initial run will download the latest definitions and check the software is up to date before you start scanning. BitDefender gained top marks in the scanning test by finding all the suspect every button and text-entry point, and manageable enough, and you could files (and correctly identifying them as they are also pretty concise. For embed it in a more complicated script if the same ‘threat’, for a super-bonus example, the archive setting is just a your needs so demand. gold star). Naughty files can be simple toggle switch. BitDefender also includes an processed in a number of ways, optional drop box for quick, one-off including quarantining them or Thorough check scans, which is a thoughtful addition, if attempting to remove them, and you’ll This might not give the fine-grain somewhat un-Linuxy in execution – be reminded and warned about existing control that some people hanker after, there’s something strange about threats on your machine if you choose but it seems like a sensible dropping files on to the red shredded to take no action initially. compromise – if you want to search logo device that floats in the corner of The settings screen is easy to follow, through archives, you want to search the screen, but it does work on Gnome thanks to the proliferation of tooltips on through them all, not just ones of a and KDE desktops. About the only specific type. The software warns that negative point to be found is that the this will increase the resource overhead GUI interface is perhaps a bit large and “Running the GUI is a during scans, but neither the CPU overdramatic. It takes up a considerable slight surprise: it’s built cycles grabbed or the memory amount of screen real estate for what’s allocated seemed to be excessive essentially a one-click operation, which using custom widgets. ” compared with other software in the may be annoying if you use it regularly. test. In fact, it put in the fastest The drop box may solve this in part, but performance of the scanners that perhaps a system tray widget would be found all the suspect files. BitDefender’s better. Overall though, this put in an memory usage was higher than the impressive and speedy performance other programs on test here, but that that would be hard to beat. can partly be explained by the fact that it actually tested the files within the test ISO image, which some didn’t. Verdict There’s a command line tool available for those who want to specify BitDefender every available option, which also Version: 2.1 means that BitDefender can be Website: www.bitdefender.com Price: Free scripted for other uses, such as A great all-round performer. It’s checking mail or network shares if fast and easy to use, although the needed. It doesn’t give quite as much interface is a little bit in-your-face. control as, for example, ClamAV, when BitDefender asks you what you’d like to do with files on it comes to types of archive to include your system that are potentially harmful. or patterns of files to avoid, but is Rating 9/10

34 LXF128 February 2010 www.linuxformat.com

LXF128.round 34 14/12/09 11:48:19 am Roundup Antivirus software Antivirus software Roundup

Antivirus software

Glitzy and glamorous, and it delivers the goods. The verdict BitDefender 9/10

hoosing an antivirus system to popular running on the Windows suit you depends on a number platform too. Cof factors, not least how much of a risk viruses are to you. If you’re And the winner is… simply running a Linux desktop for Ultimately, BitDefender had the BitDefender personal use, there probably isn’t an performance and accuracy needed to provides reliable BitDefender in finding viruses. The urgent need for you to spend time, win. It wasn’t the fastest on test, but security and is interface was also simple to use and the money and the overhead of clock- neither was it the slowest. Changing the easy to use. command line tool is just as useful. cycles to check every file that comes options makes a big difference to the For die-hard fans, near your system rigorously. If you use performance, but we’re of the opinion ClamAV is definitely good enough, but your Linux box to share files with that if you want to run antivirus be careful how you configure it, or what Windows machines, then there’s a bit software, you should run it at the most you use it to check for. As long as you’re more of a point. Also, as we’ve seen, paranoid level available. BitDefender aware of what files it’s scanning and sometimes it’s better to use a competently found all the virus files, which ones might need further command line tool, for example if you identified them and suggested investigation, you should be safe. wish to build scripts or execute periodic appropriate action, so it’s difficult to see We should close by saying that the checks through the Cron system. number of Linux viruses that could We were impressed with the abilities possibly damage your system in any of most of the packages included in the “Ultimately, BitDefender way is currently less than 10, so don’t Roundup, but surprised that some of have any nightmares. LXF the commercial versions seemed less had the performance effective at finding viruses. The AVG and accuracy to win.” software fared particularly badly at this. Over to you ClamAV will always be a favourite for what more it could do. It was simple to Linux users because of its open source use and the updates to the virus Do you think ClamAV should have nature, choice of GTK or KDE GUIs and database seem to be regular. The won simply because it’s open the way that it’s kept up to date command line app is configurable and source? How concerned are you regularly. As the software development versatile too, so you can easily set up about viruses? Have you ever is supported by (the regular scans. unwittingly transferred a Windows company behind Snort and various For those who baulk at the idea of virus on to someone else? We’d love intrusion detection systems) it can’t be running a virus scanner that takes up to hear from you – email your said to be just another temporary most of the screen, there’s Avast. This opinion of the Roundup to project that’ll be here today and gone software is a relative newcomer to the [email protected] tomorrow. The ClamAV software is also Linux scene, but performed as well as

Table of features

Trial Memory Disk On Time Test Name Web Version Licence Price version? Toolkit usage usage access to test results

free.avg.com/us-en/ AVG Free download?prd=afl 8.5 Commercial Free n/a Shell 95MB 75MB via plugin 5.4s 2

Avira Antivir www.avira.com 3.0.5 Commercial £25 4 Shell 6MB 54MB Dazuko 2 1s 4 Professional

Avast! www.avast.com 1.3.0 Commercial Free n/a GTK 82MB 32MB 8 54s 6

BitDefender www.bitdefender.com 7.6.4 Commercial Free n/a wxWidgets 140MB 75MB 8 16s 6

Dazuko ClamAV www.clamav.net 0.95.3 GPL Free n/a Shell 25MB 28MB 2/3 11s 4

ClamTk clamtk.sourceforge.net 4.2 GPL Free n/a GTK 27MB 29MB 8 12s 4

Sophos www.sophos.com 4.47 Commercial 67 4 Web 74MB 311MB Dazuko 2 36s 4

www.tuxradar.com February 2010 LXF128 35

LXF128.round 35 14/12/09 11:48:19 am