Top Linux antivirus software

Malware attacks on Linux systems are on the rise. These free and low-cost tools provide good endpoint protection.

Linux security shield

The last several years have seen a startling increase in malware that targets Linux. Some estimates suggest that Linux malware account for more than a third of the known attacks. In 2019, for example, new Linux-specific attacks included the Silex worm, GoLang malware, the Zombieload side-channel attack, the Hiddenwasp Trojan, the EvilGnome spyware and Lilocked ransomware. The volume and severity of attacks against Linux are clearly on the rise.

While Linux has some advantages when it comes to security, the Linux kernel is certainly not devoid of security vulnerabilities nor is it immune to attack. The worst thing you can do is to sit back and assume that Linux systems are safe simply because a larger number of desktops are running Windows.

Tools are available to defend Linux systems from many types of attack, and quite a few of these are free and open source. These are some of the best tools that you can get for free or at modest cost.

Security tool categories

You’ve all heard that the best tool for the job depends on the job. Security software fills a number of roles – detecting and removing malware, identifying system vulnerabilities, warding off attacks, etc.

The major types of system security tools provide:

  • Anti-virus and anti-malware protection
  • Rootkit detection and removal
  • Vulnerability scanning

Of course, none of these tools obviates the need for competent system management, including proper firewall configuration and user privilege management. This list also does not include tools that are built to monitor network traffic (e.g., those used for network management and intrusion detection).

In the sections below, important factors for the Linux system security tools considered include the price (many are free), whether the tools are open source, how well they perform and are maintained, and whether they play one role or provide a number of services to protect your systems.

Anti-virus and anti-malware

Anti-virus software is designed to detect and remove viruses -- software that is installed without a user’s knowledge and often built to steal information. The name “virus” refers to the way the software replicates itself. It operates by inserting itself into legitimate programs.

Anti-malware is pretty much the same thing as anti-virus. While the term initially encompassed a wider range of threats including Trojans, spyware, worms, adware and ransomware along with viruses, most anti-virus tools have evolved into products that guard against all forms of malware.

Some of the top tools in this category include:

  • ClamAV – free, open source
  • Sophos -- free
  • Comodo – free (version)
  • Kaspersky – affordable


ClamAV is one of the best and most widely used antivirus tools for Linux. It is both free and open source. It detects Trojans, viruses, malware and other malicious threats. It works on the command line, though a graphical interface (ClamTK) is also available. ClamAV is also cross-platform in that it works on Windows and MacOS as well as Linux.

ClamAV relies on virus signatures and provides a tool called freshclam to keep these signatures up to date. It can scan zipped and archived files as well as regular files. This virus database is updated many times each week.

The ClamAV tool for scanning from the Linux command line is called clamscan and can be run recursively with commands like clamscan -r <dir>. Options are available to automatically remove infected files or move them to another directory for later analysis. Use clamscan –help to find out more about the many options for using the tool.

ClamAV is available for Windows, Solaris, BSD and Mac OS X as well as Linux.

Sophos Antivirus (SAV)

Sophos Antivirus (SAV) is another solid performer for antivirus protection and has minimal impact on a system’s performance. Sophos for Linux is free unless you require support. Sophos is also available for Windows and MacOS.

Sophos is lightweight and sports an easy-to-use interface. It provides on-access, on-demand and scheduled scanning and performs extremely well. It detects and removes viruses, Trojans and other types of malware. SAV also looks up suspicious files in real time via SophosLabs.

To prevent Linux systems from becoming distribution points for other types of systems, it also detects, blocks and remove malware that targets Windows, MacOS and Android systems.

Comodo Antivirus for Linux

Comodo is another top antivirus tool for Linux, MacOS and Windows. It is free for Linux and MacOS, though the Windows version currently costs a modest $4.99 per year. It performs cloud-based analysis of files and provides proactive antivirus and zero-day protection. By using cloud-based analysis, it avoids over-taxing systems.

Comodo provides regular updates, an on-demand scanner, a scan scheduler, custom scan profiles, and mail filtering (works with qmail, sendmail and Exim MTAs).

Kaspersky Endpoint Security 10 for Linux

Kaspersky has proven itself over the last 20 years to be a top product in the anti-malware arena. No longer free for Linux, it is still in the affordable range with discounts for multiple systems.

Kaspersky's Endpoint Security for Linux provides anti-malware protection with malicious URL blocking. It can scan both local and mounted drives as well as process memory, neutralize threats and disinfect files.

Rootkit detection and removal

Rootkit detection and removal tools detect and eliminate rootkits. Rootkits are collections of malicious software that enable access to a computer or software that is generally not permitted, often masking its existence to other software on the system.

There is no reason why you cannot run more than one rootkit detector. It is always possible that one will find a rootkit that another misses. How often you want to run scans and how many tools you want to use will depend on the time you can devote to absorbing the results. Daily scans are a good idea.

The top tools for detecting and removing rootkits are:

  • chkrootkit – free, open source
  • rkhunter – free, open source


Chkrootkit is a popular, free and very effective tool for searching for rootkits. It looks for known signatures in system binaries. It can be run on demand or through cron. It provides an expert mode that reaches beyond rootkit signatures and, instead, looks for suspicious strings (chkrootkit -x).

Chkrootkit is itself a long and detailed shell script that calls a series of other tools that the package provides (e.g., chkdirs and chkproc). The searches are surprisingly fast and thorough.

$ sudo /usr/sbin/chkrootkit | more
ROOTDIR is `/'
Checking `amd'...                   not found
Checking `basename'...              not infected
Checking `biff'...                  not found
Checking `chfn'...                  not infected
Checking `chsh'...                  not infected
Checking `cron'...                  not infected
Checking `crontab'...               not infected
Checking `date'...                  not infected
Checking `du'...                    not infected
Checking `dirname'...               not infected
Checking `echo'...                  not infected
Checking `egrep'...                 not infected
Checking `env'...                   not infected
Checking `find'...                  not infected


Rkhunter is another free rootkit detection tool. Use rkhunter --update to ensure you're using the latest rootkit definitions and signatures and then sudo rkhunter --check to run the scan. As with chkrootkit, the scans can be run on the command line, are quite thorough, and will result in quite a lot of output -- as shown in this sample:

$ sudo rkhunter --check | more

[ Rootkit Hunter version 1.4.6 ]

Checking system commands...

  Performing 'strings' command checks
    Checking 'strings' command                [ OK ]

  Performing 'shared libraries' checks
    Checking for preloading variables         [ None found ]
    Checking for preloaded libraries          [ None found ]
    Checking LD_LIBRARY_PATH variable         [ Not found ]
  Performing file properties checks
    Checking for prerequisites                [ Warning ]
    /usr/sbin/adduser                         [ Warning ]
    /usr/sbin/chroot                          [ OK ]
    /usr/sbin/cron                            [ OK ]
    /usr/sbin/groupadd                        [ OK ]
    /usr/sbin/groupdel                        [ OK ]
    /usr/sbin/groupmod                        [ OK ]
    /usr/sbin/grpck                           [ OK ]
    /usr/sbin/nologin                         [ OK ]
    /usr/sbin/pwck                            [ OK ]

Vulnerability scanners

Vulnerability scanners are programs that that look for known system weaknesses. Some are quite expensive. Others offer free or trial versions of more full-featured or professional tools.

  • Nessus -- free to costly
  • Nmap – free, open source
  • Lynis -- free, open source
  • Nexpose – free trial only


Nessus is a serious professional vulnerability scanner. It began as a free, open source tool, but that changed in 2005. It is currently only free for educators, students and individuals who are starting their cybersecurity careers.

Nessus was built with security practitioners in mind and is an industry standard for cybersecurity professionals. It allows its users to quickly identify and fix system vulnerabilities and focus attention on missing patches, configuration oversights and software flaws. It works through a web-based user interface that is crisp and easy to use.


Nmap is a network exploration and security auditing tool. It's both free and open source. It uses raw IP packets in ways that allow it to discover what hosts are on a network, what services those systems are offering, what OSes they are running (including versions), what firewalls are in use, etc. Nmap can rapidly scan large networks or focus on an individual system. It works on most OSes and offers binary packages for Linux, Windows and MacOS.


Lynis is a security auditing tool for Linux, MacOS and UNIX-based systems. It provides compliance testing (e.g., with HIPAA and ISO 27001) and system hardening. Lynis provides warnings and many suggestions for hardening security along with links that you can follow to get more information on each issue.

Suggestions for changes that can improve system security may include things like these:

  * Add legal banner to /etc/, to warn unauthorized users [BANN-7130]

  * Enable sysstat to collect accounting (disabled) [ACCT-9626]

  * Enable auditd to collect audit information [ACCT-9628]

  * Install a file integrity tool to monitor changes to critical and sensitive files [FINT-4350]

The scans work through many areas as indicated by these headings in the generated reports:

[+] Initializing program                [+] LDAP Services

[+] System Tools                        [+] PHP

[+] Plugins (phase 1)                   [+] Squid Support

[+] Debian Tests                        [+] Logging and files

[+] Boot and services                   [+] Insecure services

[+] Kernel                              [+] Banners and identification

[+] Memory and Processes                [+] Scheduled tasks

[+] Users, Groups and Authentication    [+] Accounting

[+] Shells                              [+] Time and Synchronization

[+] File systems                        [+] Cryptography

[+] USB Devices                         [+] Virtualization

[+] Storage                             [+] Containers

[+] NFS                                 [+] Security frameworks

[+] Name services                       [+] Software: file integrity

[+] Ports and packages                  [+] Software: System tooling

[+] Networking                          [+] Software: Malware

[+] Printers and Spools                 [+] File Permissions

[+] Software: e-mail and messaging      [+] Home directories

[+] Software: firewalls                 [+] Kernel Hardening

[+] Software: webserver                 [+] Hardening

[+] SSH Support                         [+] Custom Tests

[+] SNMP Support                        [+] Plugins (phase 2)

[+] Databases

One of the last things you'll see in the Lynis output is a "hardening index," which you can use to compare systems. This is a measure of the steps that have been taken to harden the system.

  Lynis security scan details:

  Hardening index : 60 [############        ]
  Tests performed : 244
  Plugins enabled : 1


Nexpose from Rapid7 is a long-standing vulnerability scanner with an excellent history of reliability. It is a vulnerability scanner that supports discovery, detection, verification, risk classification, impact analysis, reporting and mitigation of threats. It is often installed as an independent network appliance. The user interface is straightforward -- both easy to use and uncluttered.

Nexpose is excellent for use on large networks and can even be set up to use distributed scan engines for easily scalable, detailed quality reporting. It can, however, be pricey. The Community edition is free for a full year.

Key Linux anti-malware takeaways

Many quality tools are out there and quite a few are free or low cost. I’ve covered only some of the best and most affordable tools.

1 2 Page 1
Page 1 of 2
Microsoft's very bad year for security: A timeline