Security application recommendations

Hello community!

I am a new user and would like some recommendations for security software that defends against malware, viruses, or other threats (ideally with real-time detection). I am already aware of end user best practices and remain ever vigilant.

I am using Manjaro KDE and have installed openvpn as well as gufw but am looking for more ways to keep my system secure.

Much thanks!

1 Like

There is none.

Don’t run untrusted software and use your brain.


You can enable the firewall if you surf in internet cafes, airports or other insecure locations.
You can install ClamAV or ClamTK GUI if you want to occasionally scan some file that came from Windows and should be forwarded to another windows user.
You DO NOT install scripts from random internet sites.
You are careful with running sudo (especially in combination with some script you downloaded from somewhere).
You install software from the repositories. Maybe after you gather some experience also from AUR, or snap, or flatpak too.

That’s it. And make backups. For the system, enable Timeshift. For you home folder - copy your files somewhere regularly.
Generally, as a new unexperienced user of a rolling release distro, chances are, you will break the system yourself :slight_smile: So keeping a manjaro flash drive at hand and reading the wiki and tutorials is the way to go.


Mithrial kind of nailed it with don’t run untrusted software and use your brain. We’re not the lowest hanging fruit so a little common sense goes a long way at the moment.

Not strictly software recommendations but for me:
I keep snapshots of the important data I want to keep and if I have any doubt about my system integrity I do a clean re-install, add back the software I trust and then restore the data I want.

If you’re installing from the AUR check the pkgbuild info to see what’s actually going to be done before allowing it.

I do a lot of my secure browser stuff in a VM, use physical hardware keys for securing accounts, keep a separate installation on a different drive so I can shrug off a broken system and chroot in to poke around if anything goes wrong.

Other than that just keep an eye out for your machine doing something you’re not expecting, I have a set of widgets on my second monitor showing CPU/Memory/Disk read-write/Network usage. If any of those seem weird I check logs or btop to see what’s happening and why.

Just common sense and don’t get complacent.

I’m sorry to disappoint you but the only “software” that really protects you in real time vs any of those you mentioned is between your ears…
Yes that means your own brains…

No software can ever protect you vs those because they are all tailored AFTER the fact those are reported, investigated, analyzed and finally added to the database said software uses to detect those…

Yes i understand people want to be able to do anything they like and be “safe” but the world doesn’t work like that…
Even a fire fighter wearing top notch anti heat equipment WILL BURN if he stays in that fire longer as that suit is made to protect him…

So it’s up to you to do certain things or not, and live with the consequences…

Being aware of them and acting accordingly are different things in my experience :wink:

Well … there is firewall, like ufw … which you should probably use if you dont always sit behind one.
(such as at your router)

Some people employ apparmor … but its only as good as the profiles it loads … which isnt very much by default.

Similarly something like rkhunter can itemize a known-good system … then notify of changes to that known-good makeup.

Applications like clamav purport to be able to find viruses like your traditional antivirus software … though it should be noted that it is known more for false-positives than anything else … and is still largely only intended to find windoze malware.

Those things said … I use none of those examples on my own system.
(firewall exists at the router)

Though I do make use of hblock to maintain a rather robust hosts (block) file.


If you’re new to Linux, and you want more even information than all the above helpful hints, this might also help:


P.S. If you would have read the above before installing gufw, you would have known that this is the Gnome Universal FireWall, whereas you’re on KDE and only need ufw as the KDE front-end to ufw can just be installed in KDE’s Control Panel System Settings.
P.P.S. This is a small mistake: leave things as they are as you’ve only lost a few MB of disk space and if it bothers you in a few months, ask a new question on how to replace gufw with ufw clearly mentioning you’re running KDE.



Linux on a workstation is secure by design.

Only when running applications which open ports on the network you need to think security.

IF you are hit by a malware targeting you specifically then - per design - the malware will only have write access to your home folder.

You don’t need malware detection on Linux unless you run illegal and/or cracked Windows software using Wine.


I doubt that one needs it even in that case, because wine is also a kind of virtualization :wink:
(I have not done any research in this case though)
Bottom line: Linux != Micro$@$.
So leave all you know back with that OS and start a fresh new journey in freedom and security :rofl:

1 Like

I would disagree with this. It is not thought as containerized virtual machine, the concept is just quite different. So it has access to some stuff at home. It can start stuff automatically on login. Theoretically, a ransomware can still encrypt the home folder for example. Sure, not everything is compatible in wine and chances are, the ransomware will not work :slight_smile: , but there is no guarantee. Trojan horse is another thing, ok, the attacker will have access only to home, but it is still bad enough.
So wine is definitely another vector of attack.

1 Like

1 Like

No comment, il just give a :+1: and let it go :wink:

Thanks for your replies, everyone!

To be perfectly sincere with you all, the laissez faire attitude towards system security I’m getting back from the community is concerning to me.

It is public knowledge that bad actors use various exploits, including fileless malware, on all operating systems. I’m not trying to seal all the avenues of attack, just make myself a harder target than the next computer.

I suppose I’m speaking to the part of the community who may have suggestions other than the typical “use your brain”. No offence intended.

Largely “security is something you configure”
(according to your use patterns and threat models)

1 Like

Your last sentence is already true by using

  • Linux instead of Windows
  • LibreOffice instead of Office
  • Thunderbird instead of Outlook
  • your brain when you receive a pdf bill on the middle of the month

There is nothing else you can do.

With Linux, Firefox with UblockOrigin and an understanding of when to open links gives you a 99% advantage over the average user.

1 Like

I really, really hate myself for doing this, and I’ll save it this time for future reference, but @Aragorn, can you please chime in about this?

1 Like

We are not lax about security. The first sentence in the arch wiki is

It is possible to tighten security to the point where the system is unusable.

Been there, done that. I dabbed at computer security at some point (call it “hacking” if you want although it isn’t true). As i learned what could be potentially done i wanted to protect myself from all possible theoretical threats (yes i even had an on access virus scanner in linux)…while some of them never really existed.

At some point i developed a common sense for not opening cat videos sent per skype in windows like my dad did :rofl: :joy_cat: :face_with_symbols_over_mouth:
And i understood what is enough to protect me in 99% of the time from 99% of the threats. I reallised what i could do to my neighbor’s network does not mean he has the knowledge to do it to mine…
And i realised the rest 1% will be exponentially hard and time consuming to secure against an exponentially diminishing threat. And it is not adequate for my situation. Like trying to secure the usb ports of a desktop pc that was only stationary at home.

So nowadays i passionately argue that linux viruses do exit. I do it for the sake of clarity and science. But i would never advise a noob to install an antivirus in linux. That’s the difference between theory and practice.

1 Like

I’d argue that the biggest threat, to any computer, regardless of operating system is the well-known PEBCAK virus…between that and the ID10T errors…


That’s because your mind is still stuck in the Windows paradigm. :wink:

Microsoft Windows started its life as a single-user graphical interface on top of MS-DOS, a 16-bit single-user, single-tasking operating system that ran all of its code with full hardware access. Basically, MS-DOS was more of an application loader than an actual operating system. When DOS loaded an application into memory, from that moment on, the application had full control of the machine, and it could do anything it wanted.

MS-DOS also had a very limited memory address space to work with, courtesy of having been developed for the 16-bit Intel i8086 and i8080 processor family, and their successor, the short-lived i80186.

This is why when more powerful processors came along — i.e. the i80286, and then later the 32-bit i80386 and i80486 processors — Windows also started including a DOS memory extender and a primitive cooperative multitasking system. But it was still only a single-user layer on top of a single-user operating system.

Cutting a long story short, somewhere along the line, IBM and Microsoft joined forces to create a successor for MS-DOS, named OS/2, and the plan was devised to start developing a joint platform of which the IBM version would carry the OS/2 interface and an API for OS/2 applications, while the Microsoft version would carry the Windows interface and an API for Windows applications, and while both of them would be compatible with earlier 16-bit software written for MS-DOS, for the 3.xx version of Windows (which ran on top of DOS), and for the 16-bit version of OS/2.

Then things went sour between IBM and Microsoft. Bill Gates broke his agreement with IBM, and with the help of VMS developer Dave Cutler, all of the code that Microsoft had written for the next generation of OS/2 was cannibalized, converted to Windows code, and crudely bolted onto a VMS-like kernel. This kernel is multi-user-capable, but other than that the Windows code was ported to run on that kernel, Windows itself continued to essentially be a single-user environment that was initially developed for an operating system that didn’t even have any networking abilities.

Even today, Windows is still Windows. It may have a slick-looking user interface — or, well, at least in the opinion of certain people — but underneath, it’s still a mess of duct tape with crude bolts and nuts. And that’s because unlike what Steve Jobs did at Apple when he in turn decided to replace Classic Mac OS by a more modern and UNIX-based foundation, Bill Gates absolutely did not want to change anything about the basic internal design of Windows.

Because of Windows’ legacy as a layer on top of MS-DOS, Windows still regards a file as executable solely based upon the filename suffix, i.e. .exe, .com, .bat and friends. By consequence, in Windows, open() still equals execute(), just like in MS-DOS.

Furthermore, also just as in MS-DOS — which, remember, was a single-user operating system for non-networked computers, and which approaches storage as individual volumes, each with their own root directory and subdirectories — the user has write access to everything, with the exception of C:\WINDOWS and C:\WINDOWS\SYSTEM (or whatever it’s called these days).

And so as to make things even worse, Microsoft’s philosophy has also always been one of aiming for commercial and proprietary application software, if not from Microsoft itself, then from Microsoft’s partners. And security was only an afterthought, because first and foremost, they wanted the user to have the same ease of use as with the non-networked MS-DOS, while security precautions were perceived as standing in the way of Microsoft’s idea of “user-friendliness”.

On top of all that, whenever Microsoft releases something as production-ready, it still contains tens of thousands of bugs. It is in fact what every serious software developer would consider beta-grade software, not even release-candidate material yet. And then they gradually fix things over time by way of so-called service packs.

The bottom line is that Microsoft Windows is full of holes, both because of coding errors — which is normal, although Microsoft in particular is quite known for letting more coding errors slip through their quality control than any other proprietary software company — and most crucially, because of the very way that Windows was designed.

And given that Windows comes preinstalled on most brand-name commodity hardware, in combination with Microsoft’s multi-million-dollar advertising and PR campaigns, the typical Windows user is accustomed to the fact that they have to take additional precautions to protect their system. Of course, given that Windows is much more ubiquitous on desktop and laptop computers than any other operating system, it’s also a much bigger target for the malware industry and the black hats.

But that’s Microsoft Windows, and unlike GNU/Linux, it has virtually no peers. Yes, there is ReactOS, which is an attempt to write a Free & Open Source clone of Windows, but given the complexity and proprietary nature of Windows proper, ReactOS has yet to rise out of the alpha stage in terms of usability.

GNU/Linux on the other hand is an entirely different story. First and foremost, it’s a UNIX system, and UNIX is an operating system architecture developed in 1969-1970, and then improved and perfected.

Furthermore, UNIX was designed from the ground up as a multi-tasking, multi-user operating system than ran on minicomputers and mainframes, to be accessed and used by multiple people concurrently via so-called dumb terminals. It was essentially a slimmed-down version of the Multics mainframe operating system.

In other words, UNIX was designed from the ground up to have a built-in security system based upon a simple but very flexible and efficient permissions model with file ownership and groups, and based upon the principle of least-privilege. In UNIX, unprivileged users only have write access to their own ${HOME}, to /tmp, to /var/tmp, and if the machine runs a local mail server, to /var/spool/mail/${USERNAME}. Everything else is read-only to anyone other than root.

In addition to that, in UNIX, the filename is irrelevant as to whether the file is executable or not, because whether it is or isn’t — and for whom — depends upon the file’s permissions mask. Not to toot my own horn, but I’ve written an extensive tutorial on UNIX file permissions and ownership, which you can find below. :arrow_down:

Unlike in Windows, an unprivileged user is not hampered by the security system, because they can do everything that they need to be able to do without having to resort to root privileges, and nothing that they shouldn’t be able to do.

UNIX is an industry-standard operating system architecture, and although some proprietary UNIX versions still exist — e.g. Oracle Solaris, IBM AIX, Hewlett-Packard HP/UX, et al — most UNIX systems in use today are based upon one of the many Free & Open Source UNIX platforms, of which GNU/Linux is the most popular one.

As the matter of fact, about 80% of the internet is powered by GNU/Linux, with the remaining 20% divided among the various Free & Open Source BSD systems — i.e. FreeBSD, NetBSD, OpenBSD, et al — and macOS, which is a modified and partly proprietarized FreeBSD. Microsoft Windows dangles somewhere at the bottom with maybe a 2% market share in the server rooms, exactly because (1) it’s proprietary, (2) it’s not stable enough, and (3) it’s a security nightmare.

By consequence, if you are new to GNU/Linux and you come from the Windows ecosystem, then you will indeed be surprised by what you term our cavalier attitude, but those of us who’ve been using GNU/Linux for many years — and in my case, that’s over 24 years, and exclusively so — know that we don’t need to be paranoid about attack vectors that only apply to Microsoft Windows.

Yes, a certain degree of caution is always required, but when it comes to GNU/Linux, the weakest link in the security of the system is the biological mass between the keyboard and the chair, unlike in Windows, which is a very promiscuous operating system by way of the refusal of its creators to redesign the system from the ground up. If Microsoft had been smart, then they would have opted for a UNIX-based design, just as what Steve Jobs did over at NeXt Computing, which was later acquired by Apple, and what Jobs then continued to do when he was put back in the saddle as the CEO of Apple Computer.


Just a FYI to anyone who thinks computers can be made 100% save:
It is a Myth, and impossibility.

  • All software is run by your CPU like an obedient slave without own will.
  • All software is written by humans.
  • All code that the CPU has to execute can be read and understood by humans by using disassemblers.
  • So they can always try to find weaknesses to bypass the build-in software protections.
    That’s what true “hackers” do :wink:
    (At least, that’s what i did when i was young and into that side of the fence, although in that time i could read the code by just looking at the bytes them self without using a disassembler)

That’s why IMHO, Anti-Virus software are like placebo pills. They make the patient feel better but they don’t cure the real cause nor protect it vs the thread.

1 Like