Qubes: Antivirus?

Is an antivirus program recommended for Qubes? I am using it with Whonix. Would I run it in my VMs? What if my PC itself is infected? (I would like to find that out somehow)

that stupid
don’t believe any antivirus clam
they just lies (mostly)
no antivirus can protect you from new malware
also, they are collecting your data
if you still need one (you can live uninfected without antivirus), use clamav
and that is for a normal os
in qubes, even if one of your vm is infected, you still mostly safe

what av your using

it depend on the virus and vm it infecting


The Qubes architecture pretty much removes the need for antivirus in most circumstances for the following reasons:

  • It would take a specialized virus to infect an AppVM. Specifically, it would need to understand that it needs to attack /rw (a Qubes-specific folder) or it will get discarded as soon as the AppVM terminates.
  • I don’t know what you mean by “the computer itself,” but I can’t think of any likely attack vectors. If you’re worried about infecting the Xen hypervisor, then you might want to look into anti-evil-maid systems. If you mean Dom0, then viruses shouldn’t have access because you’re not doing work in that VM, and Dom0 doesn’t normally have Internet access.

If you use Standalone VMs, then my previous comments go out the window, and you need to protect them using your usual methods as though they were regular pcs. Feel free to use your normal antivirus solution there.

Since you mentioned Whonix, that uses App VMs, and the best defense is to periodically restart the Whonix gateway and client. This should reverse any virus infections.

4 Likes

this is virus, not someone who has access to your computer

so what if your normal antivirus is bad one

If I understand Xen (which I admit I do not), I think the main way to infect it would be to alter its kernel. Anti Evil Maid should flag on that.

I’m not qualified to evaluate anti-virus programs. Some are scams, like the banner ads that claim to have found 2,453,754,453,435,987,433,767,333 viruses and want $5 per virus to clean your system. Others have generally better reputations, but I would only trust them to reliably catch known viruses, not brand-new ones.
I’m also not prepared to address data privacy issues with anti-virus programs. The ones I’ve seen have been pretty upfront about sending suspect files to the mothership for analysis. I’ll leave it to you how much you wish to trust such claims.

that is infecting dom0, not xen

unless it infect boot stuff, AEM won’t flag that (IIRC)

i don’t trust them AT ALL (because most of them are proprietary)
also, most av came with “real-time protection” which is

run with administrator privileges and can become an attack vector

image

When I referred to the Xen “kernel”, I meant /boot/efi/EFI/qubes/xen.efi, which I could have sworn was “boot stuff” and under the purview of Anti Evil Maid. I apologize if I used the wrong name and caused confusion.

That’s your choice. A choice O.P. might not share. I did my best to describe how such a program might fit into Qubes’s security model. We must each make out own choices about who and what we should trust.

2 Likes

some small correction

that for uefi only

Hey hey @PPC—your point about not trusting claims to “perfect” security are well and good. Pls try to keep it respectful, though? The OP does have a valid question—and many people come to use Qubes, new to security. We all help each other out, that’s how it rolls.

3 Likes

Hi @Thamil13,

If I’m right in assuming that you’re new to the world of Qubes OS, welcome to the family!

If I’m right in assuming that you’re coming from a Windows background (because generally, Linux users won’t ask this sort of question), let me break it down for you:

The Qubes architecture pretty much removes the need for antivirus in most circumstances for the following reasons:

It would take a specialized virus to infect an AppVM. Specifically, it would need to understand that it needs to attack /rw (a Qubes-specific folder) or it will get discarded as soon as the AppVM terminates.

This is what makes Qubes OS so great. Even if something DOES get in, chances are, a simple reboot of the Qube will make it disappear. Unless it’s ransomware, then your home directory would be gone…but I’m sure you’d have backups of things like that, or you’d keep those important thing inside other Qubes :wink:

I don’t know what you mean by “the computer itself,”

To be honest, I don’t quite know either. The idea of Qubes OS is that you don’t actually do anything meaningful inside “the computer itself”, and that’s one of the things that protects it. There is no reason why dom0 should EVER be able to connect to (or be reached from) the outside world. Nothing in, nothing out. It just sits there, facilitating virtual machines.

but I can’t think of any likely attack vectors. If you’re worried about infecting the Xen hypervisor, then you might want to look into anti-evil-maid systems.

Do you leave your computer unattended for long periods of time, and are worried about someone tampering with your computer when you’re not there? If you are, this is what anti-evil-maid is good for. It helps you verify that the files that make your computer boot are exactly the way they were when you left them, by comparing them to “snapshots” that you have on external media (USB stick).

If you mean Dom0, then viruses shouldn’t have access because you’re not doing work in that VM, and Dom0 doesn’t normally have Internet access.

If you use Standalone VMs, then my previous comments go out the window, and you need to protect them using your usual methods as though they were regular pcs. Feel free to use your normal antivirus solution there.

This means that if you chose to have a fully self-contained Qube (for example, many people will run Windows or MacOS in a Standalone VM), then you’ll have to treat it exactly the same as a physical computer, so antivirus in this case could be useful. But again, the choice is up to you on this one.

Since you mentioned Whonix, that uses App VMs, and the best defense is to periodically restart the Whonix gateway and client. This should reverse any virus infections.

@aholden is right in the sense that Qubes OS does not need antivirus to protect YOUR machine.

I am using it with Whonix

Whonix is not necessarily designed to prevent you from receiving files or requests to your machine. It is designed to minimize the ability for someone else on the internet to figure out where you are. It’s very good at doing this. As long as you’re aware of the capabilities and limitations of Whonix, then use it as much as you like.


I will throw in my two cents.

If your concern is that you want to be a “good neighbor” and not pass on any viruses or malware (you’d get maximum respect if you did that), then there are several options that you could use inside VMs (NOT dom0!!!). It’s common to see Linux servers have things like ClamAV installed scanning files, because even though the overwhelming majority of malware is not designed for Linux (although this appears to be changing), the last thing the owner of the server would want to do is unknowingly pass on malware to someone else…

I personally agree with @ppc in not trusting anything proprietary. Nowadays, quite a lot of software that doesn’t make their source code available is either not as good as the developers claim it is, or because it does something that the developers don’t want you to know that it’s doing.

However, I will not force that view upon anyone else. You are free to install and run any software on your machine. As your property, it remains your right to do so, however the community would easily be able to assist you so much more when things go wrong, if you stuck to free/libre/open source/FOSS software.

But again, that’s entirely up to you :slight_smile:


I hope this helps answer your question.

My apologies if I have assumed incorrectly about your circumstances. It was only in the interest of helping you faster.

2 Likes

Not specifically recommended but not prevented in any way. I think it’s fair to say that our security experts tend to be rather skeptical of antivirus, as, in their experience, it tends not to provide much, if anything, in the way of security benefits.

Since everything you interact with in Qubes is a VM, yes. :slight_smile:

Do you mean the firmware? I don’t think an antivirus program would be able to detect that.

The general problem is that there’s no method of detection that can guarantee that a computer is “clean.” This applies both at the OS level and even more so at the firmware level.

3 Likes

what av your using

I am not sure what you mean by av?

it depend on the virus and vm it infecting

Let’s assume the worst case.

Thank you! What are Standalone VMs?
I am only using Whonix VMs.

For this threat: Instead of AEM, would it be sufficient if I reinstalled my BIOS?

Thank you very much for your nice answer!
Yes, I am new in the family. :slight_smile:

Your answers did help me. One of my concerns is that I’ve bought a used laptop and I am afraid of some viruses from the previous owner. I am handling finances on this laptop and I can’t afford to be hacked here. I did a factory reset and then installed Qubes.

Thank you. Do you think I could eliminate most of the risk by reinstalling my BIOS?

antivirus

in the worst case, the virus intended to infecting qubes os and it able to break the xen security, then infect dom0
if you are targeted, it can also infecting firmware and you are truly game over

the vm that doesn’t based on any vm (short)

no

I haven’t heard of any viruses that infect the BIOS (doesn’t mean they don’t exist). If your BIOS is infected, then it’s probably game over for the machine, especially since any such virus worth its salt would promptly infect the new BIOS as soon as you finish reinstalling. Again, I haven’t heard of such a thing.

You asked about standalone VMs. It probably helps to understand that Qubes has several types of VMs:

  • Template VM: You don’t do work in these, but rather use them as the basis for other VMs (called App VMs). Each template VM can serve as the basis for several App VMs.

  • App VM: These are based on template VMs. Every time you start an app VM, it is reset to match its template VM, except for your home directory and a couple other specialized folders. This is a huge part of Qubes security. If an App VM gets a virus or is hacked, then the damage will probably be to the parts that get reset. As soon as the App VM is reset, the infection gets thrown away.

  • Disposable VM: These are also based on template VMs, but unlike App VMs, everything is discarded when the VM stops or is reset. User data and all. Obviously, this isn’t good for saving work (the work will go away), but is useful of random web browsing and any other activity where you might worry about getting infected or hacked. Viruses and even ransomware become a joke when the whole machine will get nuked anyway!

  • Standalone VM: these don’t participate in that template/app VM system. They’re just regular virtual machines like any other VM system. Nothing gets thrown away when you restart them, so you need to protect them as if they were regular computers.

  • dom0: This is the first VM launched when you start the computer and runs for the duration of the computer. It has special access to the Xen hypervisor and is the only VM able to start, stop, create, and destroy the other VMs. It also owns the disk images. For security reasons, you never do work in dom0, and dom0 doesn’t have any network or Internet access. If dom0 ever gets hacked or infected, it’s game over.

I also mentioned Xen. In case you’re not familiar, Xen is a bare metal hypervisor. This means that the computer doesn’t actually run Linux, Windows, FreeBSD, or any other operating system. It runs Xen directly. Xen then creates several virtual machines, which run these operating systems. This includes dom0.

Now for Whonix. Whonix on Qubes is built using template VM and app VMs. There are two Whonix template VMs, one for the gateway and one for the clients. There is also a single app VM based on the Whonix gateway template, one or more app VMs based on the Whonix client, and also a disposable VM based on the client. Because you’re using app VMs and disposable VMs, and not the templates, viruses aren’t much of a concern–they’ll get nuked when you restart the VMs unless they were written specifically for Qubes.