Install Anti-Malware by default for system scanning

Whether or not this should be done is a higher level question that should probably be discussed more broadly. As you point out, there are implications regarding performance that may make this undesirable to do for everyone across the board. This bug report is not really the right venue for that type of discussion - please raise it on Ubuntu Discourse, or the ubuntu-devel@ mailing list, or other project-wide discussion platform you prefer.

Personally, I think this is an idea worth pursuing. Online threats are omnipresent and only growing worse, after all. Historically Linux has tended to be safer due to its design and obscurity, but as you point out this is a false sense of security that will inevitably fail. So below is some speculation on how this improvement might be implemented:

Ideally each point of entry (Firefox, Software Center, ssh, ...) will have their own security mechanisms to prevent malware or intrusion, so probably for point-of-entry scanning (via clamav or other anti-virus mechanisms - see https://help.ubuntu.com/community/Antivirus) tickets should be filed against those packages, as appropriate.

However, clamav also has a system scanning mode that runs per a schedule (cron or at), and I gather that's what is being suggested here. To make it installed by default would require adding clamav to one of the seeds (the desktop seed if it's only wanted for desktop, or some other seed if it's needed for Ubuntu Server and so on). Clamav sends reports via email, so the system would need to have a configured email address, and be able to deliver email locally, or else have some other means of communicating troubles to the user (e.g. popup notification, dialog in System Tools, motd entry, ...) Some thought would also need to go into what to do for fully autonomous installs such as a cloud server that may receive little or no maintenance attention after deployment.

The antivirus software would probably need to be continuously updated in production, to have the latest signatures and other protection mechanisms. This implies that a standing FFE would need granted for clamav (and/or other AV software). (This is probably a good idea regardless of whether its installed by default or not.)

Clamav doesn't disinfect files, it just detects and/or removes them. That may be too destructive to be done generally, so implementing this may need to be done in conjunction with a system backup service (which itself is also a great idea but not done by default, for obvious reasons).

I would strongly encourage you to raise this idea more publicly. The security team in particular would be worth soliciting input from - they might be able to say if this is a non-issue due to other existing protections, or suggest alternative approaches that would give better bang for the buck. Meanwhile, I'll set this to wishlist.

Kaspersky has released a virus removal tool for Linux. Go to the website below and click “Show other platforms”. Some people don’t trust Kaspersky, but it is a well known security company. Use at your own risk.
https://www.kaspersky.com/downloads/free-virus-removal-tool

Information about Kaspersky Virus Removal Tool for Linux:
https://www.kaspersky.com/blog/kvrt-for-linux/51375/

Linux Malware:
https://securelist.com/?s=Linux
https://www.akamai.com/blog/security-research/critical-linux-backdoor-xz-utils-discovered-what-to-know

Security researcher’s comments on Linux security:
https://madaidans-insecurities.github.io/linux.html

Could you add reverse shell detection and automatically block remote connections? There could be a firewall section in the settings app that would allow a user to override the blocked remote connection. There could be a warning about the danger of allowing the connection because it can’t be determined if there is malicious intent.

There could be a button that would allow the user to submit the remote connection information to the Linux security team, they could check if the remote server is trusted or malicious. Trusted servers or ip addresses could become malicious. Higher priority would be given to most requested.

Status changed to 'Confirmed' because the bug affects multiple users.

Hi,

ubuntu-personal-security is a package that's been dropped on Xenial, therefore I removed its task from this bug.

Otherwise, Bryce's comment already outlines a good step forward here. Also, since this is not a bug on clamav per se, I decided to change its task to the general "Ubuntu" component.

If a user chooses to use a deb file to install software, Linux could prompt the user for the hash value. This would ensure the file didn’t get corrupted while downloading.

The attacker that embedded malware in Linux Mint, created a hash value for the malicious iso file. Verifying the hash would not have protected users.

There could be a database of hash values for non repository software. If a user downloads a deb file, linux could use the hash value from the database to verify the download is safe. If the downloaded software is not found in the database, a user could press a button to request the software and hash value be added. Linux security team developers could check the software and add the legitimate hash value to the database. This could help protect inexperienced Linux users.

A user could install non malicious software from the repository or a deb file, but malware could be delivered through software updates. Some software developers might not be trustworthy or they might get hacked. Malicious code might be obvious in open source software, but security flaws are like a back door and are more difficult to discover.

Could you add “Avoid entering your password to grant higher levels of permission to programs without being aware of having started those programs.” to the “An application is attempting to perform an action that requires privileges. Authentication is required to perform this action.” pop up message.

Malware could trick a user into entering their admin password in order to gain higher privileges.