Most of you are using clamav for antivirus solution to Raspberry Pi, right?
In this article, I will share my thought to those who mind antivirus solution like,
Ideally virus scan should be real time but it consumes much RAM at all time.
On-demand scan may miss virus, this is also problem.
My opinion is based on that I personally use Raspberry Pi on my hobby.
So if you want business solution, this article does not make sense.
For example if your business opens web service which everybody can use on AWS/Amazon Linux, severity of incident is uncomparable with my Raspberry Pi’s one.
But my view points shall help you.
Let’s enjoy!
As a conclusion
In my precondition, on demand scanning is enough.
Because,
Reason<1> Route to be infected by virus is limited.
I use Raspberry Pi for nextcloud server and samba server and only limited ports are open.
You can see below netstat result.
I use postfix to send mail when virus are detected so smtp port is open, but unneccessary ports are closed.
$ netstat -ta4 Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:netbios-ssn 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:xxxxx 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:domain 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:smtp 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:https 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:microsoft-ds 0.0.0.0:* LISTEN tcp 0 0 yasufumi-yokoyama:xxxxx 192.168.1.8:xxxxx ESTABLISHED
And also my home Wi-Fi router opens only HTTP/HTTPS/SSH, that’s it.
I measures for each port shown below.
| Port | Usage | Risk of virus |
| HTTP/80 | nextcloud | Nothing. Two factor authentication is introduced, then unknown cannot login. Hence malicious files cannot be uploaded. |
| HTTPS/443 | nextcloud | The same as HTTP. |
| SSH/(not TCP 22) | maintenance | Nothing. Authentication method is private key base, then unknown cannot login. – Password authentication is deactivated. Hence malicious files cannot be uploaded. |
Virus is file.
So to perform malicious behavior someone needs to run virus infected file.
It means someone needs to enter Raspberry Pi.
But as mentioned earlier my Raspberry Pi has measures which doesn’t allow unknown to login.
So risk is can be thought as low.
If you are interested in two factor authentication or private key based authentication on SSH, these articles are just what you want!
Reason<2> Less viruses for Linux
As you might know viruses for Linux is less than Windows/Mac or even ChromeOS.
So as a big picture of security measurement, you seems to focus on other stuff.
This is data taken in 2019, Windows is over 60%!
– Second is ChromeOS, interesting…
Yes we can agree this result because most people use Windows, Mac, iPhone, Android smartphone.
In my surrounding, no one uses Linux, even Ubuntu...
That’s why from attacker perspective targeting Windows/smartphone is effective than Linux.
And this is just my impression but users who use Linux are familiar with security so their computer has safe in a certain level.
But especially smartphone is treated as expensive toy than computer.
And hence majority of people think like,
Security? What is this? It should be cared by engineer, ha ha.
Taking into consideration this point, iPhone/Android smartphone is less secure so attackers are willing to target them than Linux.
So there are less motivation to target Linux user.
Don’t we need to do anything?
But it is not safe that we do not do anything because we are engineer, aren’t we?
So my countermeasure is,
Full scanning once a week
If you set to scan at midnight, then availability should keep.
You can see how to setup periodic scanning by this article!
– Here you can get complete script then you are ready!
Cnlclusion
How was it?
At the beginning I assumed I need to setup real-time scanning, but it uses much RAM at all time…
So I reviewed myself and reached countermeasure which can compromise me.
Glad if this article helps you!
Any feedback on comment section or SNS are welcome!
Comments