• United States



Unix Dweeb

Top Linux endpoint protection software

May 18, 20227 mins
Endpoint ProtectionEnterprise ApplicationsSecurity

Malware attacks on Linux systems are on the rise. These free and low-cost tools provide good endpoint protection.

Linux security shield
Credit: Thinkstock

I’ve been running the Linux desktop since the great desktop debate was between C Shell and Bash. I’ve never felt a need for a Linux antivirus program. But, that’s not to say that I thought I could get away without Linux desktop or server security. Far from it! While I use third-party programs like the ones below, I rely on good security practices to secure my system.

Mind you, in recent years we’ve seen an enormous increase in Linux malware. According to security company Crowdstrike, Linux malware increased by 35% in 2021 compared to 2020. Before you tear your hair out keep in mind that the vast majority of these attacks are not targeting Linux servers or cloud instances. Instead, Crowdstrike reports, XorDDoS, Mirai and Mozi, the biggest Linux-based malware families, go after the low-hanging fruit of internet of things (IoT) devices.

That doesn’t mean your servers aren’t under attack. They are. For example, LemonDuck, a popular cryptomining botnet, is targeting Docker on Linux systems to coin digital cash and is paddling around the cloud pond looking for victims.

If you look behind the recent flood of “Linux is dangerous!” headlines, you’ll find the same refrain over and over again. At the root of the security problem is a misconfiguration, a failure to patch a long-known security hole, or, frankly, incompetent system administration work. For an example of the last, an attack that requires root before it can work ignores the elephant in the room that if your attacker has root privileges you’re already completely compromised. 

Linux security basics

Before you can secure anything, you need to know its security basics. For that, turn to such online classes as the Linux Foundation’s Linux Security Fundamentals; Udemy’s Linux Security and Hardening, The Practical Security Guide; and Red Hat Security: Linux in Physical, Virtual, and Cloud.

You should look at Linux security books and online guides. Some of the best include:

There are also online security news sites you should watch. The single best source for this is Red Hat’s Security Product Advisory page. While much of it is Red Hat Enterprise Linux (RHEL) specific, Red Hat also covers security issues that matter to all enterprise Linux distributions. Red Hat also does the best job of the major distros of reporting security fixes as soon as possible. 

Another important resource is the oss-security mailing list for open-source security software reports and discussions.

Locking down Linux

Once you have the fundamentals down, you can work on locking down your Linux systems with more advanced built-in Linux tools. The foremost of these is SELinux.

SELinux is a set of Linux patches and user tools that add mandatory access control (MAC) security to the operating system. It defends the operating system by locking down any hacked or misbehaving application, preventing them from causing damage to data or other applications. But, and this is important, SELinux’s fundamental security approach is to restrict everything unless explicitly permitted. That’s the exact opposite of Linux’s standard security approach, discretionary access control (DAC), which permits everything unless explicitly forbidden.

With traditional Linux DAC security, the root user is omnipotent, for better or worse. Each process runs under a user and group. For example, the Apache webserver httpd process runs as the user apache under the group apache. Thus, the httpd process has access to all Apache files and directories. If it’s cracked, the hacked httpd process can access, modify, and destroy all files that belong to Apache.

Or, as Tom Cameron, senior technical trainer at Amazon Web Services (AWS) and SELinux expert puts it, with ordinary Linux, “[w]e give you the gun, and there’s your foot.” In short, SELinux is great for securing systems, but you really must know it well before deploying it. The most common problems with SELinux occur when it’s deployed badly.

Top Linux endpoint protection programs

Once you’ve mastered all that, then it’s time to look at Linux endpoint software. These programs detect and remove malware, identify system vulnerabilities, and ward off attacks. Here are the best available today.


Chkrootkit is a popular, free tool for searching out rootkits. It looks for known signatures in system binaries. It can be run on-demand or via cron. The program also provides an expert mode that reaches beyond rootkit signatures and, instead, looks for suspicious strings (chkrootkit -x).

The program is made up of a long and detailed shell script that calls a series of other tools that the package provides (e.g., chkdirs and chkproc). Another free, popular rootkit tool,  Roolkit Hunter, is no longer being updated. If you’re still using it, stop. It’s time to find a replacement.


ClamAV, the free, open-source antivirus tool is very popular. It detects Trojans, viruses, malware, and other malicious threats. It works on the command line, though a graphical interface, ClamTk, is also available.

ClamAV uses the somewhat outdated virus signatures approach to find dangerous files. It uses a separate tool, freshclam to keep its signatures up to date. It can scan zipped and archived files as well as regular files.

With today’s more advanced threats, it’s not as useful as it once was, but it’s still good for spotting older viruses and malware following in their footsteps.


Nessus is a serious professional vulnerability scanner. It began as a free, open-source tool, but that changed in 2005. It is currently only free for educators, students and individuals who are starting their cybersecurity careers This edition can only be used with up to 16 Internet Protocol (IP)-addressed systems. The business version, Nexus Pro, license starts at $3,390 for an annual license.

Nessus enables you to quickly identify and fix system vulnerabilities and focus attention on missing patches, configuration oversights and software flaws. It works through a crisp, web-based user interface that’s easy to use.

Sophos Antivirus (SAV)

For now, there’s still a free version of Sophos Antivirus (SAV), but it’s no longer being kept as up-to-date as its service-based cousin, Sophos Central Anti-Virus for Linux version 10. Both versions use signature files to detect and deal with viruses on your Linux machines. It also detects non-Linux viruses that might be stored on your Linux servers, where they could spread to your macOS and Windows computers.


Lynis is an open-source security auditing tool for Linux, macOS, and Unix-based systems. It provides both compliance testing (e.g., with HIPAA and ISO 27001) and system hardening. Lynis provides warnings and many suggestions for hardening security along with links that you can follow to get more information on each issue.

Microsoft Defender for Endpoint on Linux

Oh, the irony! Microsoft’s Microsoft Defender for Endpoint on Linux is a good anti-malware and virus program. Who’d thought it even five years ago!? As the name indicates it works in concert with the Microsoft Defender for Endpoint family. It also boasts endpoint detection and response (EDR) capabilities.

While it does a good job of chasing down viruses for all operating systems, however, this version of the program is meant for Linux servers, not desktops. This program would be an excellent addition for any company depending on Linux servers and Windows desktops.


Rapid7‘s Nexpose Vulnerability Scanner works by identifying your machines’ active services, open ports and running applications. That done, it checks for vulnerabilities in the known services and applications. In addition to discovering these problems, it also provides risk classification, impact analysis and reporting and mitigation of threats. It is often installed as an independent network appliance. The user interface is straightforward — both easy to use and uncluttered.

Nexpose is excellent for use on large networks. It can be set up to use distributed scan engines for easily scalable reporting. The program’s pricing varies depending on the number of assets you’re protecting. The Community edition is free for a full year. That will give you more than enough time to see if it works well for your company.

Protect that penguin!

Your best Linux protection starts with using Linux’s existing tools to set up a solid security system. Everything else is secondary. That said, there are useful programs out there to protect your endpoints. You should use them. Again, it all starts with deploying and administering Linux responsibly.  

Unix Dweeb

Sandra Henry-Stocker has been administering Unix systems for more than 30 years. She describes herself as "USL" (Unix as a second language) but remembers enough English to write books and buy groceries. She lives in the mountains in Virginia where, when not working with or writing about Unix, she's chasing the bears away from her bird feeders.

The opinions expressed in this blog are those of Sandra Henry-Stocker and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.