Re: @ Trevor Pott 's reasoning
@eulampios: ClamAV is actually quite terrible at finding website compromises. It does find some however, and is better than nothing. LMD does a far better job, but isn't included in the primary repositories.
The issues of the type I am discussing are neither "you must be logged on as root and download some Trojan by using Linux as a desktop" issues nor are they 0-days. In nearly every case, malware on Linux occurs because someone forgot to - or couldn't, because of chained dependencies - patch.
In most cases it is a flaw in some PHP application that an admin has installed on their Apache setup. A privilege escalation bug or some other issue allows someone access to the webserver. They then alter the extant CMS/Application/whatever to include links to malware, typically as part of a drive-by-download attack targeting Windows (though increasingly Mac) users.
In general, this sort of malware does not compromise the Linux system itself. IMHO, anti-malware trying to defend the Linux operating system itself is completely pointless. Every available anti-malware package for Linux is so woefully inadequate that if and when your Linux system is compromised you nuke the whole thing are start over. (It’s quicker than defanging the thing.)
No, anti-malware on Linux is almost exclusively for cleaning e-mail and cleaning compromised websites. Generally compromised websites targeting windows systems.
I wouldn’t prescribe anti-malware for Linux for the same reasons as I would Windows. Frankly, Windows anti-malware is far more robust. It has to be; Windows has so many deep flaws (and is such an attractive target due to market share size) that there are many vectors to infect the OS itself.
Linux has a smaller attack surface in getting at the OS + core packages proper. That said, when it is infected, it’s pretty much a total loss. When a Windows system is compromised, even a half-assed Windows admin can clean the thing in ~80% of cases with less than an hour’s applied effort. (Assuming you ignore “the progress bar is going” in the effort calculations; most admins go do something else while waiting for progress bars.)
When a Linux system is compromised, this isn’t really the case. In these instances the malware is generally (by necessity) significantly more complex than your typical Windows software, written by people who know far more about the OS than the sysadmin trying to defend the thing.
Comb through the logs for long enough, test permissions and run fuzzers on enough things and you might figure out what was compromised, how, how many friends it downloaded, what they affected, etc. Then you can kill it pretty easily. In that timeframe however you could just have backed up your core configs/data, reinstalled and been on your merry way. (This isn’t remotely as easy on Windows; even with folder redirection, AD, etc, backing up configs can be a PITA.)
So, to re-cap: anti-malware is generally necessary on Linux for the two most common roles that Linux sees. Namely, e-mail (either as a pre-filter or actual server,) or web hosting. The actual usefulness of anti-malware is different than it would be on Windows, but it is still recommended nonetheless.