Anti-Virus on Linux Mint: Do You Need One?

A common question that new Linux users have coming from Windows is how to install an anti-virus, or whether they need an anti-virus at all in first place. In this article, I'll seek to answer this question so you can use Linux safely and without worry.

Short Answer

No. You don't need an anti-virus on Linux. Although you should make backups just in case something bad happens so you don't lose all your data at once.

Medium Answer

Not yet.

Long Answer

To understand why we don't need an anti-virus on Linux, or at least not yet, we need to first understand a few important things:

What even is a virus?
Why do we need an anti-virus on Windows?
What are the risks of being infected with a virus?
How computer viruses work?
What are the goals of virus developers?
What are the differences between Linux and Windows in relation to viruses?
How operating systems protect your computer from viruses.

Two Cybersecurity Paradigms

There are two ways to think about the security of a computer: in regards to the system, and in regards the user's data and their files.

The Security of the System

Many cybersecurity analyses are focused on the security of the system, which is not something users actually care about, ironically. I'd wager many users would be completely fine with their PC's system being compromised so long as their data isn't. However, it's not possible to guarantee that your files aren't compromised if your system is, so the integrity of the system is a requirement to protecting your files within the system.

The security of the system simply means that there is no way for a random program to gain privileged access without being granted it by the owner of the system. Privileged access in this case means "running as administrator" on Windows, or running as root (super user, sudo, etc.) on Linux. It may also mean a program gaining access that is restricted to the kernel, the core of the operating system.

These security holes are frequently patched on operating systems, so they get fixed so long as you keep the operating system updated. For example, if a computer is connected to the Internet, than any computer on the world can send a message to it. In general, this message isn't processed in any way unless a program is running that processes the specific type of message that was sent. If your system has some program it keeps running that connects to the Internet, it's possible that a security hole in that program allows a random attacker from anywhere in the planet to gain control over your system. This sort of bug is called Remote Code Execution (or RCE).

This isn't something you need to worry about. If either operating system has a security hole like this, it won't be your problem, it will be everybody's problem. The only thing you need to worry about is keeping your system updated, since these holes are constantly being patched by security updates.

The Security of User Data

The other way to look at the security of a computer is whether or not the data of the user in safe, and the answer is going to sound a bit ridiculous, to be honest.

While the security of the system is under extreme scrutiny, as any holes could jeopardize computer infrastructure worldwide, the security of the user data is essentially non-existent. There is practically nothing protecting your data from any programs you run. It's almost hilarious how much we've given up on that.

What I mean by this is that there is generally nothing that stops any program in your computer from deleting all your files. The security of the system stops a program from deleting system files, but everything under "My Documents" gets no protection whatsoever.

Not only can any program delete all your files, but they could also edit all your files, or even send all your files to the Internet. It would be trivial to write a program that just takes all your files in your My Pictures folder and just upload it to a hacker's Instagram account or something like that without your consent.

Additionally, there is one file that is extremely important that also gets no protection since it's a user file and not a system file: your cookies. Cookies are where your web browser stores data it receives from a website, and, in particular, when you log into a website, the website gives you a "key" to access your account in the form of a cookie. This means that if you log into Facebook through your web browser in one PC, and copy the cookies to your laptop, you can access your Facebook account without even having to type your password because you already got the key to the account, and if you can do this, a hacker can do it as well.

Fortunately, these days, security sensitive files like cookies are encrypted by the operating system (e.g. by KWallet and Gnome's Keyring). This means a random program can't just steal your cookie file because it isn't a user file, it's a file protected by the system. It's still possible to steal the cookie if the program compromises the system, saves everything in your RAM (including the unencrypted cookie) to a file, and then sends that file to the hacker via the Internet, but that requires compromising the system, and as we already know systems are patched constantly, so that's something to worry about.

Opening the Door

In summary, what we can understand from this is that both systems are impenetrable by default. They are domes with thick walls where nothing bad can enter. And then there is a door. And you have key.

If you open this door by running a random program in your computer, it MAY be a malicious program, and it CAN do harm to your files. This is a real concern to have.

And it isn't just malicious programs. Sometimes programmers make mistakes and mistakes delete all files of a user.

To protect yourself, the best solution isn't an anti-virus, it's backups. Backups can feel a bit expensive since you need buy some hardware just to have copy of all your important files, but you will really like having those copies if something ever goes wrong.

Keep in mind that just because you've made a backup that doesn't made the backup is actually working. Make sure to check, from time to time, that your backups are actually functional, and that you did copy everything you intended to, otherwise you may find out that the backups are incomplete or broken just when you need them.

Reasons Linux is Safer than Windows

Fundamentally, both Linux and Windows are on the same level of "security" when the user can just open the door to a virus and let it ruin everything, however, there are a few things about Linux that makes it harder to open this door to begin with.

Ironically, in many cases the reason isn't that Linux is actually better than Windows, it's simply that Linux is actually worse in a way that accidentally makes viruses not work as well as they do on Windows.

File Extensions and Icons

One of the most insane design decisions you see on Windows is that you can open a file with a known program that you have configured beforehand by double clicking on it, and doing this on an executable program runs it, and there is absolutely no way to tell apart one thing from another. In other words, the same action can either execute a program you already have installed in your PC for years or open a random program you just downloaded from the Internet 3 seconds ago.

That's because of two reasons:

The first is that Windows hides file extensions by default. Windows' Portable Executables have an .exe extension, but you can't see that extension by default, so you can't tell apart virus.exe from virus.jpg. The extension defines File Explorer's behavior: if it's an .exe, it's executed as a program, and if it's a .jpg, you open the image viewer or whatever application is associated with that extension.

This is a pretty bad design decision considering the risk it adds, but it makes sense from a user experience perspective since if you accidentally change the file extension while renaming a file and you don't know what file extension it's supposed to be, you end up with a file that you can't open. That's not really something desirable from an operating system designer's point of view. You shouldn't be making files unopenable just by renaming them. It also doesn't make a lot of sense that the operation to rename a file is capable of change its type. It's an unfortunate situation that we have where the file extension is de facto how you figure out the file type. I don't personally like that Windows created this situation where a lot of people don't even know what a file extension is, but I understand why it is the way it is.

A yes/no confirmation dialog titled "Rename" that warns: if you change a file name extension, the file might become unusable. Are you sure you want to change it? — The confirmation dialog that appears when you change a file's file extension on Windows 11.

However, there is one problem.

On Windows, a file generally has an icon that represents it that comes from the application configured to open it. If you have LibreOffice files, they have LibreOffice's icon, for example. The exception being a Portable Executable, which can specify their own icon!

These two factors combined mean that a real, actual way to get someone to open a virus, which I've personally avoided in my Windows XP days, is to simply make a Portable Executable that is a virus, give it a name like music title or a video title, and change its icon to Windows Media Player's icon so it looks like it's an actual music or video file that will just open WMP and not literally an .exe. I assume a lot of people would fall for this simple trick. In fact, maybe the only reason I didn't click that file was because I used Winamp and Media Player Classic, and the icon looked wrong to me.

These two factors combined pretty much allow malicious hackers to fool a lot of Windows users into running programs thinking that the files they are opening is a media file while it's actually a virus. If you have ever seen people say that there was an MP3 file that was a virus, or a WMV file that was a virus, that wasn't the file's actual extension. It was an .exe pretending to be a different file type.

If the virus finds a JPG, AVI or MP3 file, it creates a copy of itself by "borrowing" a name of that file and adding .EXE extension. For example for CLOCK.AVI the virus will create a file named CLICK.AVI.EXE. This malware creates only one file in each folder each time it is run.
Virus.Win32.VB.ab, [https://www.f-secure.com/v-descs/vb-ab.shtml] (accessed 2025-07-02)

In general, the reason why Windows users are downloading these files to begin with is due to piracy.

The find some website that claims to have free music of a popular artist that they can download, or free video of some Hollywood movie, and they download and open it. Although, to be honest, one example I thought of was free ringtones. These days I guess pirates don't even download files anymore, as they've grown used to apps and streaming.

In any case, the point is that the attackers often say they're giving away something that is popular for free, because that attracts most people, and some of these people will fall from the trap.

You may be wondering how does Linux fix this problem. Well, Linux fixes this problem by having several other problems. I'll be talking specifically of Linux Mint here, since it's one of the most popular distros.

First of all, on Linux Mint file extensions are displayed by default. I'm not really sure if this is the best solution considering user experience, but it does inform the user of the file type explicitly and unambiguously, so you won't think something is an MP3 when it clearly isn't.

Second of all, on Linux Mint you can't actually run anything by double clicking on it. Because Nemo is bad. Nemo, Linux Mint's file manager, simply won't tell you that when you double click on a file that is typically executable, like an .appimage, you need to make it executable first before double clicking on it. So what happens is that if you download virus.appimage and double click on it is that nothing is going to happen. I mean, sure, in this case it helps, but, in general, if I download an .appimage is because I want to run it, so I have no idea why they don't just show you a dialog saying "hey, it looks like you want to run this executable file, do you want to make it executable FIRST before running it?" so I wouldn't keep double clicking on things, waiting a few seconds and seeing nothing happens, wondering why is an application taking so long to load, and then remembering it's because Nemo loves to make me feel like an idiot every time I want to run a program on Linux.

I told you, there isn't actually a good reason for why Linux is better. But it actually gets worse.

The Virus Doesn't Run

By far the most obvious reason a virus won't work on Linux is that the virus won't run at all on Linux.

Let's say for example a malicious hacker sent you an e-mail containing a virus. First of all, this wouldn't even work nowadays because everyone uses GMail, and GMail will detect that, so they're going to have to give you a link to a website they control where you'll download the virus. The problem is that this link's URL is probably going to end in .exe and it will download a Windows executable. It won't run on Linux without some effort, and if it does run, it will assume it's running on Linux and try to infect C:\system32 and change some entries in the Windows' registry (the one you find through regedit).

In other words, the virus is made for Windows. Even if you fall for a phishing attempt, you're probably safe from a virus because the malicious hacker wouldn't have created a cross-platform virus that runs on both Windows AND Linux. Even if they tried to do that, they'd probably macOS first.

But let's say that, for some reason, they are targeting Linux desktop specifically.

One problem about Linux is that it's so fragmented, there are so many distros, that it's sometimes difficult to even get a program that you want to run to actually run.

Linux is only the kernel of a Linux-based OS. On top of Linux you MAY have GNU tools like Bash. Or you may not. This means that if a virus is a shell script (.sh extension) but it has Bashisms, it doesn't actually run on all Linux shells, it can only infect GNU/Linux systems that have the Bash shell. Granted that's most Linuxes, but Alpine Linux is going to be safe from this virus because it doesn't have Bash.

Similarly, if there is a vulnerability in systemd that allows a random program to gain privileged access to the OS, that vulnerability doesn't actually exist "on Linux" it exists only "on Linuxes that have systemd." The same is true for all of the other components that may be present in one distro but missing from another.

Often, I see Linux fans use this fact to deflect responsibility. Whenever you encounter a problem with Linux, someone says it's not a problem "with Linux" it's a problem "with some Linux distros." Since you can say that about everything, it makes "Linux" this sort of untouchable component that can never be at fault. We're all using Linux and we're all having problems with it, yet Linux never has any problems. That doesn't make any sense, does it? At least that's how I think.

However, in this case I do have to concede that it's true. Unless the virus exploits a vulnerability in the actual kernel, it wouldn't be easy for a virus to be able to work on all Linuxes, since it's just not a simple task to ensure a program works in all of them in general.

For Linux desktop in particular, there may be vulnerabilities in one desktop environment that are missing from other desktop environments. This means that a virus may work if you use Cinnamon, but not KDE Plasma, or vice-versa.

WARNING: Global themes and widgets created by 3rd party developers for Plasma can and will run arbitrary code. You are encouraged to exercise extreme caution when using these products.

A user has had a bad experience installing a global theme on Plasma and lost personal data.
https://floss.social/@kde/112128243960545659, "Mar 20, 2024" (accessed 2025-07-08)

Dear Community and KDE,

I just installed this Global Theme, innocently (Global Themes -> Add New...):

It DELETES all your USER mounted drives data. It executes rm -rf on your behalf, deletes all personal data immediately. No questions asked.
Do NOT install Global Themes - Some wipe out ALL YOUR DATA, 19th of March, 2024 [https://www.reddit.com/r/kde/comments/1bixmbx/do_not_install_global_themes_some_wipe_out_all/] (accessed 2025-07-08)

Note: dude... why is a theme running random code? It's a theme! And most of them are just the same variation of dark mode/light mode with a tint. It's things like these that make it really hard to believe any sort of technological superiority the Linux community purports to have...

Cinnamon theme, similar to GTK theme, is written in CSS. No, CSS as the stylesheet language of webpages, can't run arbitrary code.

For "spices", I think they are written in Javascript. So there should be some sort of sandbox as Javascript API by itself doesn't expose the whole computer to the script file, but I am not sure how watertight that is.

[...]

The Cinnamon spices were moved to being hosted in a Mint controlled github repo quite some time ago. This was one of the main reasons why. It means that any spices added or code changes to them have to be approved by Mint devs before they make it to a user. It helps to eliminate the possibility of this happening. It actually angered some 3rd party devs at the time and they stopped developing the spices. But it was seen as the best move to make for the end users.
Do Cinnamon themes run arbritrary code like KDE themes? [https://forums.linuxmint.com/viewtopic.php?t=416379] (accessed 2025-07-08)

At least my distro is safe. Not that I install any themes, because they all look the same to me anyway. But I least I can recommend Mint to others without worrying that changing the color of the taskbar from translucent dark green to translucent dark blue won't wipe out their home directory.

Additionally, the Linux ecosystem cares less about backwards compatibility compared to Windows. That's because on Linux you have the source code of most programs, as they are open source. This means that sometimes something at a very fundamental level changes (e.g. glibc) that makes ALL EXISTING PROGRAMS UNUSABLE, and yet Linux still works just fine because you can just recompile everything from the source code so that it works with the new infrastructural programs. On Windows, this isn't really possible, so Microsoft bears the responsibility of making old programs still work on new versions of Windows.

[...] this is something that is religious to me: you do not break user space. And even in the kernel, I, every single release, I have people saying "okay, I'm changing this ABI because it's cleaning stuff up." I don't like it. No... you aren't changing that ABI because I'll CRUSH YOU.

[...] this is like a big deal for the kernel, and I spend a lot of effort explaining to all the developers that this is a really really important thing, and then all the distributions come in and they screw it all up. Because they break binary compatibility left and right, they update glibc and everything breaks. You, hey, you can recompile everything, right? That really seems to be this mindset quite often.
Linus Torvalds, DebConf 14: QA with Linus Torvalds, "Aug 31, 2014" [https://www.youtube.com/watch?v=5PmHRSeA2c8&t=510s] (2025-07-05)

This means that in some cases, unless you recompile a virus from its source code, you can't run it. Very old viruses on Windows may still be effective somehow, but on Linux they simply can't last as long.

This doesn't mean it's impossible to make the virus run, it just means that the venues to get the virus to run become different.

The first venue is to make the virus open source. In other words, the virus developer writes their virulent code in the source code that will be distributed to the user. In this case, it makes more sense to target some fundamental program that is installed in millions of Linux computers than something that is only used by a few. In either case, the virus developer can be caught red-handed by someone who reviews the source code.

In practice most people aren't going to read the source code, so I think there is a dangerous assumption that "because it's open source, SOMEONE ELSE must have checked the code, so I don't need to," and if everyone thinks that way, the developer can write whatever they want and nobody will ever check it.

Even if you DO check the source code, there is also the question of WHICH source code you're checking. The source code on Github may not be the same source code of a packaged "release" tarball that is also hosted on Github.

The backdoor is quite complex. For starters, you won’t find it in the xz GitHub repository (which is currently disabled, but that’s besides the point). In what seems like an attempt to avoid detection, instead of pushing parts of the backdoor to the public git repository, the malicious maintainer only included it in source code tarball releases. This caused parts of the backdoor to remain relatively hidden, while still being used during the build process of dependent projects.
XZ Utils Backdoor — Everything You Need to Know, and What You Can Do, "April 01, 2024"[https://www.akamai.com/blog/security-research/critical-linux-backdoor-xz-utils-discovered-what-to-know] (2025-07-05)

In essence, a malicious developer who is smart has a large number of methods to fool you if you aren't thorough in reviewing their code. It's simply not practical to do any of this, so the only thing that works in practice is really trusting people and building deterrents to prevent crime from happening.

For example, instead of installing software from random anonymous users on the Internet, it makes more sense to install it from someone who has an address, a name, and a face, so they can at least get sent to prison if they try to commit cybercrimes. It's not perfect, but it's one assurance you can have. Reputation is a very important thing.

The second venue to make a virus run on all Linux systems is to build it on top of some abstraction layer. For example, viruses that are Python scripts or that are Javascript running in Electron applications. Discord is distributed as an Electron application, this means that if someone manages to compromise Discord, they can potentially harm users on both Linux and Windows without having to worry about the complexities of the Linux landscape. In fact, Electron applications might be an easy way to compromise Linux systems because Electron applications come with all the functionality you need to read and modify files on the operating system and to send data to the Internet, including the ability to just download a script from a URL and run it. It actually takes a bit of effort for the developer to make an Electron application secure compared to just making it insecure. An Electron application with lax security could potentially be exploited by a malicious hacker.

Installing Viruses from Untrusted Sources

Once again, one way that viruses often make their way to people's computers is through piracy. This time piracy of software.

It's not unusual for people to have pirated Photoshop, pirated games, and even pirated Windows itself, thinking they are just getting software for free because some good Samaritan on the other side of the world wants them to have it for free for some reason. I'm not saying these people don't exist, but it's definitely not everybody.

If you are the sort of person that simply pirates every AAA game indiscriminately just because you can, you're obviously going to download something that is going to infect your PC one day. In fact, you may have been infected already, and you don't know it yet because it's just not the sort of virus that is obvious.

Lure victims with free stuff, then give them a virus. It's a simple strategy that works because you really want to play that newest FIFA that is literally the same thing as the previous 5 FIFA's you pirated, don't you?

I can't really assert how large of this problem actually is because it's a controversial topic for some reason with two parties that have vested interest in making conflicting claims. For example:

Recent research done by the Vienna University of Technology shows that distributing infected cracks or keygens is one of the ways malware can spread [2]. For this experiment, researchers gathered over 43,900 download links manually and automatically through three common networks, Usenet, One Click Hosters (OCHs) like RapidShare, and BitTorrent. Top pirated software such as Adobe Photoshop CS5.1, Ahead Nero 10, Microsoft Office 2010, Norton 360, and various gaming software were then downloaded and executed for analyzing purposes. The research team scanned each file with Virustotal, which utilizes 43 different anti-virus scanners. Their analysis shows that about 50% of collected cracks and keygens tested are infected with malware.

In short, over 50% of all pirated files are infected with malware that are constantly repacked to evade even the most up-to-date anti-virus programs. Software piracy acts as a gateway for cybercriminals to infect computers, leaving individuals and their personal data vulnerable to malware infection.
Malware in File Sharing, [https://resnet.ucsd.edu/security/file-sharing.html] (accessed 2025-07-05)

If you were to believe on this research, then pretty much everything is infected. Flip a coin, if it lands on tails, you're safe, if lands on heads, you're infected. It's that simple.

However, some would point out that, of course this type of software would be flagged as a virus, because they need to act like a virus in order to accomplish their objective. In particular, a "crack" needs to modify another program's file, which is something a virus would normally.

The problem with this line of thinking is that, if you are someone who makes viruses and distributes them as pirated software, that's exactly the sort of thing you would want to tell everybody. "No, it's safe, trust me, bro, the anti-virus is giving false positives here." Surely, it's not 50%, right? That sounds too high. But it can't be 0% either.

While viruses and malware can be added to any file online, it is rare for malicious content to planted by those in the so-called warez scene. Nevertheless, it has now been revealed that since February 2013 one particular group has been dropping a little something extra into its cracked software releases. Anyone who has installed the group's software patches may well have had their username, hard drive serial, computer name and IP address emailed out without their knowledge.
Piracy Release Group Has Been Spying on Downloaders For 9 Months, November 11, 2013, [https://torrentfreak.com/piracy-release-group-has-been-spying-on-downloaders-for-9-months-131111/] (accessed 2025-07-05)

But is it really "rare," though? I don't know whom to believe!

It's often said that when something is free, like social media, you aren't the customer, so you are the product. I think it's healthy to apply this same level of skepticism for other things that are free, like piracy. Wait a second... Linux is free?!

How is Linux better in this regard?

Well, first of all, none of these popular programs even run on Linux. Photoshop doesn't run on Linux. Many AAA games don't run on Linux. Pirates are a bit too peg legged on Linux—can't run anything.

Second, let's say that you aren't trying to pirate software, but it's actually some free program that you found on the Internet, some freeware, that you want to use.

On Windows, you're going to download an .exe from the developer's website, e.g. for Notepad++. This means there is a risk that you download it from a malicious website, that you fall victim of a phishing attack where the malicious hacker creates a website that looks like the website you wanted to visit, but instead of giving you the normal .exe they give you an infected .exe,

Or perhaps even more simply, it's some website that simply distributes all sorts of applications, but they don't collect the applications themselves, they simply let anyone upload anything without confirming that person is the actual developer of the program, so anyone could pretend to be Notepad++'s developer and upload an infected .exe to that website, and when you look at it you would think it's the real thing.

Lots of people complain about Google results these days, but one of its most important jobs isn't even to actually show a long list of search results that are relevant, it's simply to make sure that if someone searches for "Notepad++" the first thing that appears is Notepad++'s official website and not some random website. This is very important. The search engine must place the official result above everything else for security reasons.

Both of these scenarios are solved on Linux by the package manager and software repositories. You simply don't have to go to a website to install lots of things on Linux.

For example, if you want to install Krita on Linux Mint, you simply open the software manager and search for "Krita" and install it. You don't even have to open the terminal, although you could do it from the terminal as well.

A terminal command showing the output of the command "apt install krita": it's a long text that reads: virtual@curiosities:~$ apt install krita [sudo] password for virtual-curiosities: Reading package lists... Done Building dependency tree... Done Reading state information... Done The following additional packages will be installed: krita-data libebur128-1 libkseexpr-data libkseexpr4 libkseexprui4 liblept5 libmlt++7 libmlt-data libmlt7 libmovit8 libopencv-calib3d406t64 libopencv-contrib406t64 libopencv-dnn406t64 libopencv-features2d406t64 libopencv-flann406t64 libopencv-highgui406t64 libopencv-ml406t64 libopencv-objdetect406t64 libopencv-video406t64 libqt5opengl5t64 libquazip5-1t64 librtaudio6 libsox-fmt-alsa libsox-fmt-base libsox3 libtesseract5 libturbojpeg Suggested packages: krita-l10n libquazip-doc libsox-fmt-all The following NEW packages will be installed: krita krita-data libebur128-1 libkseexpr-data libkseexpr4 libkseexprui4 liblept5 libmlt++7 libmlt-data libmlt7 libmovit8 libopencv-calib3d406t64 libopencv-contrib406t64 libopencv-dnn406t64 libopencv-features2d406t64 libopencv-flann406t64 libopencv-highgui406t64 libopencv-ml406t64 libopencv-objdetect406t64 libopencv-video406t64 libqt5opengl5t64 libquazip5-1t64 librtaudio6 libsox-fmt-alsa libsox-fmt-base libsox3 libtesseract5 libturbojpeg 0 upgraded, 28 newly installed, 0 to remove and 136 not upgraded. Need to get 87,5 MB of archives. After this operation, 192 MB of additional disk space will be used. Do you want to continue? [Y/n] — What happens when you use `apt install krita` on Linux Mint.

The Virus can't be Virulent

Normally, when people say "virus," what they really mean is malware, malicious software, of which a virus is only one type of. There are others: trojans, rootkits, keyloggers, etc.

What differentiates a virus from other malware technically is its capability to infect other programs. In other words, when cybersecurity researches talk about a "virus," they may be talking, strictly speaking, of a type of malware capable of copying its program and modifying other programs so that the "virus" program becomes part of them. Consequently, even if you deleted one infected file, the virus would still persist in your system since it's attached to some other program now. This is why you would need an anti-virus to get rid of these. The anti-virus would scan all files on your computer to find files that include bytes that matches that of the virus. At first you could do this just by checking if the byte sequence matched exactly that of the virus program, but naturally virus developers became smarter and started varying the program a bit when infecting a file in order to avoid detection, which led anti-virus developers to employ heuristics to try to figure out if something looks like a virus even if it doesn't match any virus fingerprint on their virus database.

On argument that Linux "can't get viruses" is that most programs on Linux must be installed through root, and when they are installed they become root-owned files on /bin. By default, root-owned files can't be modified by a normal user, so it's impossible for you to just download an .appimage, double click on it, remember that Nemo loves to waste your time, make the .appimage executable first, double click on it again, and then that .appimage that infects /bin/bash or something like that, because an .appimage that you run as yourself (and not as "administrator" (not as root)) simply can't modify /bin/bash in order to infect it.

But of course this all assumes the user isn't going to open the door for the virus.

In reality if you want to run a program and its README.md on Github says to install it you "just curl http... | sudo bash" you're probably going to do it if you don't understand the risks.

Once again, this is all from a system-security level. If you use sudo all the time, the system may get compromised if you run a virus that targets system files. Alternatively, if you make root-owned files writable by everyone (rwx), you have also opened the door to become compromised this way.

On a user level, the .appimage you downloaded can still infect OTHER .appimage's in your home directory even without sudo, since those aren't root-owned flies. I guess most people assume that would be a unusual thing to do, but it's still very easy to write a virus that scans your home directory for executable files and tries to infect them. In fact, the file that is most easy to infect is probably .bashrc, since it runs every time you open the terminal, Nemo doesn't display it by default as it's a dotfile, and even if you do use the terminal you might not know about its existence.

In summary, if someone tells you Linux can't get viruses because /bin isn't user-writable, it's because they don't care about your files on desktop, they only care about servers.

Economics of Viruses

The final aspect to think about is the motivation of the creator of the virus.

Although many computers use the same operating system, not every computer is used for the same purpose.

If the virus is a ransomware, it makes more sense to target someone that can actually pay the ransom. It doesn't make a lot of sense to infect a random person's computer. It makes more sense to infect an entire company. Maybe hackers that target companies don't use games as bait, they use some office-related software that people in the office would download and try to run.

While less common than its Windows counterparts, Linux ransomware is not unheard of. From the first quarter of 2022 to 2023, our Midyear Security Report cited that our sensors detected a 62% increase in Linux ransomware attack attempts. One such example is the KillDisk ransomware that targeted financial institutions. Ransomware often exploits vulnerabilities related to outdated software, poor system configurations, or phishing attacks. Regular software updates, careful email handling, and robust backup strategies are critical defenses against ransomware attacks.
The Linux Threat Landscape Report, based on 2022 data, [https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-linux-threat-landscape-report] (accessed 2025-07-05)

If the virus is trying to mine cryptocurrencies in the background, on the other hand, it benefits from computers with a good GPU, so maybe this one does target gamers.

If the virus is trying to create a botnet, then I guess it's fine with any type of computer. I don't know, honestly. Cybersecurity isn't really my expertise.

What I mean is that the creator of the virus is creating the virus for a reason, with some objective, and like all entrepreneurship there are some economics involved.

If the virus is supposed to make the hacker's money, but it doesn't infect anyone, then he doesn't make any money. What is the point, then? The hacker wants as many people as possible running his virus, just like a game developer would, and this means they target first and foremost the platform with most users: Windows.

Guardian Digital CEO and LinuxSecurity.com founder Dave Wreski commented on the evolution of Linux malware, “Over the years, malware targeting Linux systems has become both more sophisticated and more common; however, up until fairly recently, Linux malware was still relatively scarce and primitive compared to the variants that threatened proprietary operating systems. As of 2018, there had not yet been a single widespread Linux malware attack or virus comparable to those that frequently target Microsoft Windows - which can be attributed to a lack of root access and rapid updates to the majority of Linux vulnerabilities.” Unfortunately for Linux users, the era of complete data and network security has ended, as the Linux threat landscape has remodeled to become significantly more complex and dangerous to users.
Rising Malware Threats to Linux: Understanding Risks and Defenses, "Mar 19, 2025" [https://linuxsecurity.com/features/rising-malware-threats-to-linux-understanding-risks-and-defenses] (accessed 2025-07-05)

Another factor to understand is that not all PC users are the same. Linux users are on average better with computers than Windows users. This means that many tactics that would work on gullible Windows users like distributing viruses as if they were MP3's wouldn't work on Linux users even if they were using Windows. Not only it's less people, but it's less people who are harder to infect on average.

Let's think about opportunity costs: wasting time trying to infect Linux desktop users is just not a good idea when you could use that time to make more viruses for Windows to infect more Windows users. Or, a possible alternative that might be more profitable and therefore justify it: you would target Linux servers instead.

TrendMicro reports that 97% of attacks on Linux are performed on web technologies. This means that if your desktop PC isn't a web server you're immune to most of the attacks. You can't be infected through vulnerabilities in PHP if you aren't running a PHP web server, for example. One of the most notorious and serious vulnerabilities found in these, the HeartBleed bug in OpenSSL, is completely ineffective on a computer that isn't running an HTTP server to begin with. As mentioned previously, any computer can send a message to your PC from anywhere on the planet if you're connected on the Internet, but your PC won't process this message unless you are running a program responsible for processing it, and by default you won't be.

Linux attacks are dominated by web-based attacks, in contrast to Windows. Web attacks, such as SQL injection, cross-site scripting (XSS), server-side request forgeries (SSRF), and other security compromises, are aimed at web resources.
The Linux Threat Landscape Report, based on 2022 data, [https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-linux-threat-landscape-report] (accessed 2025-07-05)

Conclusion

Based on what we've learned in this article, we can conclude a few things.

First, there are many different ways to get infected with a virus. Some are beyond your control and you don't need to worry about (system level vulnerabilities). The only thing you can do is keep your system updated. Others are due to user mistakes and "opening the door" to the virus.

There are many different ways we can open this door, and although Linux provides no real solution to this door problem, it does accidentally make opening the door much harder for various random reasons, not all of which are intended to help with security, but they do end up helping against viruses in practice somehow.

It's still possible to get infected on Linux, but there are fewer viruses because virus developers, much like all other sort of software developer, simply don't target Linux desktop in general, so there are fewer viruses that will run on your Linux PC than on your Windows PC.

Most of these things that make viruses a bigger problem on Windows than on Linux actually have nothing to do with how each operating system works. There are no security features that make Linux safer than Windows in practice. Like I explained before, we have system-level security and user-level security, so even if we debated whether or not Linux has better system-level security than Windows and that's why we have so many servers running Linux, that literally doesn't matter when the user can just open the door to any virus whenever he wants.

Instead, the real big different is that it hasn't been worthwhile for hackers to make viruses for Linux yet.

It's just hard to justify the effort if you're doing it for money when you can just infect more people on Windows instead for the same amount of effort.

It's worth noting that not all viruses are created with the intent of making money. There have been cases of viruses whose sole purpose was to destroy the victim's computer and nothing else. Just a senseless act of cyber violence. This is unusual but it's still something to be aware of, and that's why you need backups. You never know when someone is going to decide to try destroying your PC from inside for no good reason.

It's possible that in the future we'll see more people with less technical skill starting to use Linux which will make developing viruses for Linux profitable which will make viruses for Linux desktop a real problem, however, currently that's not been the case, and that's why I think you don't need an anti-virus for Linux. You need backups. But not even because of viruses. Simply because your SSD is probably going to fail in a few years and then you'll lose all your files.