this post was submitted on 27 Apr 2026

48 points (100.0% liked)

Linux

65081 readers

598 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 7 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz

How to check pc for spyware and can you say there is no spyware or is it probability (lemmy.ml)

submitted 1 week ago by RavenofDespair@lemmy.ml to c/linux@lemmy.ml

31 comments fedilink hide all child comments

all 32 comments

sorted by: hot top controversial new old

[–] 0t79JeIfK01RHyzo@lemmy.ml 25 points 1 week ago* (last edited 1 week ago) (4 children)

You can

Watch network access - What is communicating to the outside? Why is it? What is it communicating? I like sniffnet
Watch CPU and GPU usage - What is using resources? Why is it? I like Mission Center and ps auxf in the terminal
What is using the disk? I like Filelight and Disk Usage Analyzer
Run AV software. I don't have any recommendations.
And I guess sometimes you can also find it when benchmarking software because you want the absolute best performance.

You can also assume you are compromised and use a solution like a Faraday cage. If you're trying to detect advanced spyware, it might be better to check network activity from outside the device like what network activity is the router managing for the computer.

[–] bamboo@lemmy.blahaj.zone 12 points 1 week ago

FWIW, if you suspect your machine has been compromised, the binaries for common tools like ps and top shouldn't be relied upon since those probably were tampered with to hide the malicious program from the output. At that point, you'd probably want to check each running process manually under /proc/.

[–] MrSoup@lemmy.zip 6 points 1 week ago

As of AV software I would like to point to ClamAV and Rkhunter.
Both should be available in most distro's package repository.

[–] eldavi@lemmy.ml 4 points 1 week ago

@RavenofDespair@lemmy.ml to add to this; you can use a firewall that's aware of what your systems is trying to contact. pfsense does this in their premium products and i've heard ubiquiti starting doing this as well.

[–] doodoo_wizard@lemmy.ml 14 points 1 week ago (1 children)

Slap the top of the pc and exclaim “no spyware in this thing”.

[–] toynbee@piefed.social 5 points 1 week ago (2 children)

What if I accidentally say "this baby can fit so many spywares in it" instead?

[–] Nyadia@lemmy.blahaj.zone 10 points 1 week ago

Then you've unwittingly installed Windows 11

[–] doodoo_wizard@lemmy.ml 3 points 1 week ago

If you say that you gotta strap it down first for safety.

[–] HiddenLayer555@lemmy.ml 11 points 1 week ago* (last edited 1 week ago)

Honestly if you're at the point of suspecting that your Linux system is infected, just back everything up, wipe, and reinstall. Make sure to use a known good computer to make the install disk, and completely wipe the drive before install and not use existing partitions.

People have mentioned Wireshark which you can use to monitor for suspicious network activity, but IMO for most people this isn't super helpful because it's hard to tell what's suspicious and what's normal from Wireshark alone without quite a bit of networking/software knowledge. Maybe there's more user friendly packet capture software though, something that can string the packets together into their respective connections and summarise key information like the protocol and domain involved.

QDirStat can visualize the contents of your drive as an interactive map. Might be helpful for finding files that aren't supposed to be there.

ClamAV is an open source antivirus available for Linux but I don't know how well it does at actually detecting Linux malware. Seems to be more for people running file/email servers to scan incoming file uploads.

[–] j4k3@lemmy.world 10 points 1 week ago (1 children)

DNS whitelist firewall on a router. Deny everything that is not whitelisted by address and port.

[–] ranzispa@mander.xyz 7 points 1 week ago (2 children)

Most spyware traffic likely goes through ports 80 and 443 anyway. A firewall on the router won't help there.

[–] ScoffingLizard@lemmy.dbzer0.com 1 points 6 days ago* (last edited 6 days ago)

Also just get NextDNS and check the logs. That helps. It at least covers http and TLS.

[–] j4k3@lemmy.world 8 points 1 week ago

With a DNS whitelist, all incoming packets are dropped unless the address is on the list. It is like ad block, but reversed. You are not blocking known ad servers, but all servers except those you actually want to connect to. It is a pain in the ass to look at logs and white list all the time. In reality, you only visit around a hundred sites or less that you actually need or want to connect to. Nothing gets in except what you want. That kills most vulnerabilities.

[–] AkatsukiLevi@lemmy.world 9 points 1 week ago (1 children)

Bucket of water

Can't have spyware if the computer doesn't even work

[–] over_clox@lemmy.world 7 points 1 week ago

Use saltwater, that'll work instantly..

[–] practisevoodoo@lemmy.world 6 points 1 week ago

It depends on the level of mistrust you're willing to entertain but the short version is; no, you cannot be sure.

Ken Thompson's 1983 talk, Reflections on trusting trust is the classic talk on just why you cannot be sure.

[–] RIotingPacifist@lemmy.world 5 points 1 week ago

You can never be sure there is no spyware because if your infected a sufficiently advanced spyware can hide itself.

In theory you can use a liveCD to scan your OS for specious signs but if someone has written bespoke spyware for you it may be hard to detect as it won't match any of the signatures.

[–] hexagonwin@lemmy.today 4 points 1 week ago

run a barebones environment with a trusted minimal operating system (that's freebsd/netbsd/slackware for me)

[–] chgxvjh@hexbear.net 3 points 1 week ago (1 children)

Wireshark

[–] ScoffingLizard@lemmy.dbzer0.com 2 points 6 days ago (1 children)

It's good for certain things, but it has so much shit that its hard to decipher.

[–] chgxvjh@hexbear.net 1 points 5 days ago (1 children)

You need to learn a thing or two about networking to use it effectively.

[–] ScoffingLizard@lemmy.dbzer0.com 2 points 4 days ago

It's some in handy before for sure to check is dnscrypt-proxy was working. I wish I could learn a few tricks though.

[–] Cyber@feddit.uk 2 points 1 week ago

Is this a specific PC, or a general question?

All spyware needs to get the info to the spy somehow, so as others have said, it's probably best to watch the network traffic.

But also - not so much for home, more for an office - look out for keyloggers and weird physical devices attached to the PC, they can be sending data via other methods.

And prevention is better than cure, get a good antimalware installed - and perhaps something which only allows known good (allow listing), rather than blocking known bad (block listing).

[–] doodoo_wizard@lemmy.ml 2 points 1 week ago

op, if you can’t see any spyware it’s probably fine.

[–] brownmustardminion@lemmy.ml 1 points 1 week ago (1 children)

Some of the other comments got me curious...

Is there a way to print the most recent accessed files (and time accessed and by which user) within a specific directory to terminal?

[–] smileyhead@sh.itjust.works 2 points 1 week ago

Spyware can alter the database of accessed files.

[–] bacon_pdp@lemmy.world -3 points 1 week ago (2 children)

If you bootstrap your software from source code and use white listing at the kernel level and in your interpreters. Then there is no place where spyware could exist and run.

[–] rangber@lemmy.zip 2 points 1 week ago (1 children)

But then your hardware may have malware embedded in it from supply chain risk. So gotta start soldering the motherboard yourself just to be safe.

[–] bacon_pdp@lemmy.world 1 points 1 week ago

Firmware and microcode are just software unless you are talking about a Nexus Intruder Program style attack; in which case you are fucked even if you solder your own hardware. You’ll need to figure out how to bootstrap your own lithography without using any existing computers, as they could be subtly subverting any hardware that you made. (This was the ultimate weapon against Soviet computers after all)

[–] practisevoodoo@lemmy.world 1 points 1 week ago (1 children)

What if your compiler is compromised? https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf

[–] bacon_pdp@lemmy.world 0 points 1 week ago

That was already solved by DDC and live-bootstrap

https://github.com/fosslinux/live-bootstrap

https://dwheeler.com/trusting-trust/