Anti-Malware

Basics

Harry Bone's "What is malware?"

Anti-Virus

Two main "modes":

Real-time / constantly-active protection (catches every file write or download and scans it).

Could be disk-only (catches file writes) or also wired into the browser (to prevent access to known-dangerous web sites) and email (to scan attachments).

Set it to update automatically.
User-initiated / manual-scan (user runs a full-disk scan every week or two, or user right-clicks on a suspicious file and selects "scan it").

Two main "sources":

Supplied by the OS vendor. Usually best; doesn't destabilize or increase attack-surface of the system.
Third-party (a separate app / service you install into the system).

Prevention / detection:

For Windows, I use Windows Defender, in constantly-active mode.
Martin Brinkmann's "AV-Comparatives: Microsoft Defender has a large impact on system performance"
[I don't do:] 0ut3r Space's "Windows Defender is enough, if you harden it"

For Linux, I use ClamAV in manual-scan mode, doing a scan every few weeks.

If you use Adblock Plus, you can then install a malware site filter.

Quora "What is the best open source antivirus software?"

Cautionary tale: Ray Woodcock's "Failure in Tech Journalism: Getting the Truth about Antivirus Software"

Keylogger

A "keylogger" may do one or more of these:

Capture keystrokes as you type them.
Capture the contents of your clipboard.
Capture screenshots.
Capture input from your computer's camera and microphone.

A keylogger may:

Log the data into a log file.
Email the data to somewhere.
Send the data across the internet to somewhere.

There seem to be three types of keylogger:

Hardware: some device attached to your computer or keyboard or installed into it.
Software: an application and/or service installed on your computer. It may try to hide in various ways, not showing up in list of installed apps, or choosing a name similar to a standard app or service.
Rootkit: software installed into the firmware of your computer, or the boot loader of your OS, or the kernel of your OS.

Detect or defend against keyloggers:

Manually.

Use Task Manager to look for suspicious processes, look in list of installed apps for suspicious apps, use an app to look for log files that grow as you type, look for suspicious traffic out to the network.
Scan periodically.

Malwarebytes - Keylogger (Windows)
Gecko & Fly's "18 Free Rootkit / Keylogger Remover And Detector" (Windows)
Use a constantly-monitoring anti-keylogger program.

Zemana's Antilogger ($35/year, tends to delete files without asking, objects to any unusual browser homepage and search engine settings)
GeckoandFly's "4 Anti-Keylogger And Keystroke Scrambler Software To Stop Spying"
Use a keystroke-scrambler.

Michael Kassner's "KeyScrambler: How keystroke encryption works to thwart keylogging threats"
Manpreet Singh's "How To Encrypt Keyboard To Avoid Keyloggers"
GeckoandFly's "4 Anti-Keylogger And Keystroke Scrambler Software To Stop Spying"
Raymond.cc's "Best Keystroke Encryption Software to Protect Against Keyloggers"
Apparently these products modify the applications they protect, by installing extensions into the browsers, or otherwise modifying apps. Sounds complex and dangerous to me.

KeyScrambler: Free edition only protects browsers, not other apps. Even most expensive edition doesn't protect standard apps such as Notepad and Wordpad.

On Windows, I used AVG (free) and Malwarebytes (free). But I found that AVG and MWB (with RTP) don't stop/report keylogging as tested by AKLT. [And when AVG and MWB got more aggressive about change-to-paid-version pop-up ads, I got rid of them and now just rely on Windows Defender.]

Firewall

From someone on reddit's /r/Windscribe:

> I've recently signed up for Windscribe VPN (firewall enabled).
> I have an ASUS RT-AC66U router (firewall enabled),
> and on top of that Norton Security with its built-in
> super aggro "smart firewall". All of this seems a bit
> redundant and ridiculous.

Windscribe firewall blocks traffic that tries to go outside of the VPN, including if the server you're connected to goes down. It's different from a program/port firewall that allows or blocks certain traffic completely based on a ruleset.

Your Norton firewall is designed to prevent malicious programs from calling home to download more malware or upload your information.

Your router firewall is designed to prevent open ports from being abused by programs or attackers.

Windscribe firewall is designed to prevent your traffic from going through the normal unencrypted route to your ISP. If the connection drops for some reason nothing will get through because the Windscribe firewall blocked all other ways in or out.

So the three serve different purposes (the router and Norton firewalls overlap a bit but they still do different things).

Gufw (Linux only)
GlassWire (Android)
Snigdha's "Best Firewall Software For Windows"
Kamrul Hasan's "Best Firewall for Windows 10 PC"
Windows Defender firewall works even if you have another firewall running.
NetLimiter (Windows)
simplewall (Windows)
Evorim Firewall (Windows): per-app controls.
Portmaster (Windows, Linux): per-app controls.

'Normal' apps or services

Many legitimate standard apps or services, if set incorrectly, or set maliciously without your consent, could be used to spy on you or track you.

For example, Google Maps on your phone will let you share your location with other people, maybe with your spouse or children. That's fine if you consent to that and know you're doing that. It's bad if you're having issues with your spouse and they turn that on without your consent.

Various browsers and operating systems can be set to collect data about your behavior and report it to the manufacturer (usually called "telemetry"). Maybe the data is anonymized. Maybe it is limited to just crash reports. Or maybe it includes what sites you visit and what searches you do, even local searching of the hard disk. Check those settings. [Windows 10 in particular has an astonishing amount of this (article1), but you can turn most of it off, I think: article2. Or change OS to Windows 10 Ameliorated]

But see Chris Hoffman's "Stop Criticizing Apps for 'Phoning Home'. Instead, Ask Why"

Suppose you install a remote-access application, or open an incoming VPN connection, so that you can access your home computer from work if you need to. But accidentally you allow anyone on the internet to access it, or someone in your house turns on access for themselves without your consent.

A "sync" feature that automatically copies data among your devices is multiplying the places your data could be stolen. Smartphones tend to have the worst security, so syncing data from laptop to phone is weakening security. For example: "... Apple's universal clipboard functionality, which means that anything I copy on my Mac or iPad can be read by my iPhone, and vice versa. So, if TikTok is active on your phone while you work, the app can basically read anything and everything you copy on another device: passwords, work documents, sensitive emails, financial information. Anything." from Zak Doffman article.
Ctrl blog's "Your clipboard is only as secure as your device"
Mozilla Security Blog's "Preventing secrets from leaking through Clipboard"

I don't think any of the anti-virus scanners will report such settings to you as "potentially unwanted".

Linux

For every product, you can find detractors. It slows down the system, increases the attack surface, runs at too high a privilege level, has a history of exploits, gives too many false positives, etc. Most of the criticisms apply more to the real-time mode rather than the manual mode.

Some say AV is not needed on Linux:

Some people say there is no risk of malware on Linux, but this is less true every year. Now that most of the world's web servers and most of the IoT devices are running some form of Unix/Linux, attacks and malware are becoming more and more common. Now that home users spend 90% of their time in a browser, browser and browser add-on exploits are a big risk. Attack surfaces such as code/macro engines inside "smart" documents such as MS Office and PDF documents, or inside email clients, are similar on Linux to those in any other OS. Java, JavaScript, Python, Electron, Docker, etc, everything is trying to become cross-platform. A browser exploit probably doesn't care what underlying OS you're running.

From someone on reddit 3/2019:

Cybersecurity blue team here, in the wild we probably see more Linux payloads than we do Windows due to the high number of servers that run enterprise Linux. That being said, botnet attacks and scripted exploits normally drop and try to execute both Windows and Linux versions of the same payload which is super scary to see. Linux doesn't protect you from viruses at all. In fact, thinking you're more secure just for running Linux is deluded, new privilege escalations are released almost daily. If you stay on top of it, you could own someone's laptop pretty trivially with some help from exploit-db.

From /u/longm0de on reddit 2/2020:

I have an experimental Win10 laptop that I keep up to date with Defender disabled through WinRE with no other anti-malware, and I haven't had a single malware enter my system in years, I've even purposefully downloaded malware. I've even run it knowing its limitations by limiting it to a single user and without administrator privileges without my system ever being screwed. Linux users will claim similar things such as not having malware ever since switching over. The commonality here? Both of our points are anecdotal as there is always the right tool for a job, and anti-malware software works great for protecting users.

...

Linux is multi-user so it is more secure ? Windows is multi-user as well. Win 1x,2x,3x,95/98/ME are from a different lineage of Windows. Windows NT was launched in 1993 and used the kernel which Windows still uses (of course, upgraded) today, which is rooted in OpenVMS and inherits a lot of the stability, robustness, multi-user features, and security that it had. It's not built from DOS in any way shape or form. Windows is a secure multi-user operating system. Many "consumer friendly" distributions such as Ubuntu give you access to read/write to other user directories without root access. This will NEVER happen by default on "Windoze".

Easy Linux tips project's "Security in Linux Mint: an explanation and some tips" strongly advises NOT installing anti-virus software, and gives reasons.

Also see:
Catalin Cimpanu's "ESET discovers 21 new Linux malware families"
Paolo Rovelli's "Don't believe these four myths about Linux security"
Luke Rawlins' "Does Linux Need Antivirus?"
Wikipedia's "Linux malware"

Moe Long's "The 7 Best Free Linux Anti-Virus Programs"
Tecmint's "The 8 Best Free Anti-Virus Programs for Linux"
Wikipedia's "Linux malware"

Sophos:

Sophos
Installing the standalone version of SAV for Linux/UNIX
FOSS Linux's "How to install Sophos Antivirus for Linux in Ubuntu"
Gets slightly-better-than-average ratings in some AV comparisons.
reddit's /r/sophos
Support is on Twitter "@SophosHome", but I don't know if that includes Linux support.

9/2020: Support says "the Free Sophos Antivirus for Linux has been deprecated". No more free version.

Have to download from the Sophos web site, or Docker does have images "jc19930401/sophos", "maxpowa/sophos-av", "sschmiedleitner/sophos-av", "neilai/sophos". It's unclear which is best to use. To see DockerHub page for an image, go to "https://hub.docker.com/r/IMAGENAME".

I downloaded from the Sophos web site and installed ("sudo sh ./install.sh") with "on-access scanning" turned off. Chose "s" for "update from Sophos". Chose "free edition" and "no proxy".

Sophos is CLI-only.
Do "/opt/sophos-av/bin/savdstatus" to see on-access scanning status.
Do "/opt/sophos-av/bin/savdctl enable" and "/etc/init.d/sav-protect start" to enable on-access scanning.
Do "sudo savscan /" to do an on-demand scan.

"/opt/sophos-av/bin/savdstatus" says "Sophos Anti-Virus is active" even though I chose "don't do on-access scanning".
Do "ps -fax | grep sav" to look for Sophos processes.
Did "sudo /etc/init.d/sav-protect stop".
Also "sudo /opt/sophos-av/bin/savconfig set EnableOnStart false".
"sudo /opt/sophos-av/bin/savdctl disable" fails.
http://docs.sophos.com/esg/SAV-Linux/help/en-us/PDF/sav_linux_cg.pdf
sudo systemctl status sav-protect --full --lines 1000
cat /etc/systemd/system/multi-user.target.wants/sav-protect.service
systemctl cat sav-protect

"man savscan" gives lots of info, but doesn't say what the default settings are. Also see "man savd".

I found Sophos to be much faster than clamtk. Sophos caught all the viruses I had deliberately saved, and reported EICAR signature in .com files. Reported one JavaScript file that turned out to be a known recently-discovered trojan, in flatmap-stream. About 285K files scanned in about 90 minutes, on my slow but mostly-idle laptop.

2/2020 found they have a version 9 instead of the 5.63 I was running.
https://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-linux.aspx
Downloaded it (sav-linux-free-9.tgz)
tar -xzvf sav-linux-free-9.tgz

# get rid of old version
sudo rm /usr/bin/savscan
sudo rm /usr/local/bin/savscan
sudo rm -fr /opt/sophos-av
sudo rm -fr /usr/local/etc/sav
sudo deluser --remove-home sophosav
sudo delgroup --only-if-empty sophosav

sudo ./sophos-av/install.sh
# get message "Warning: There is another installation of Sophos Anti-Virus on this computer."
# and installation aborts. Refers to KBA133542.
# Apparently Mint 19.3 is based on a non-LTS version of Ubuntu,
# and at the moment Sophos only supports LTS versions ?
# But I think the real problem was that something installed by Sophos 5 was still present.

When prompted for the type of auto-update you want, select Sophos.
When prompted for the version you want, select Free.

By default, it updates virus definitions every 60 minutes.
To update Sophos Anti-Virus immediately: sudo /opt/sophos-av/bin/savupdate

By default, Sophos Live Protection is turned on.
To stop on-access scanning: sudo /opt/sophos-av/bin/savdctl disable

To scan the computer: sudo savscan /
Better: sudo savscan -s --skip-special -ndi -all -rec -nremove --backtrack-protection /
(that took 2+ hours to scan 680K files on my machine)
To scan a filesystem, specify its name. For example, type: sudo savscan /home
To scan the boot sector of all logical drives: sudo savscan -bs
To scan the master boot record of all fixed physical drives: sudo savscan -mbr
ClamTk / ClamAV:

New 1.0 version released 11/2022: article.

"designed especially for e-mail scanning on mail gateways"
"ClamAV is not a traditional anti-virus or endpoint security suite."

ClamTk is a Linux-only front-end for ClamAV.
dave_m / clamtk
Sophie Anderson's "ClamAV vs ClamWin vs ClamTK"

ClamAV
ClamAV blog
Cisco-Talos / clamav
Chris Siebenmann's "We need a way to scan Microsoft Office files for malware"
Bug reports etc: ClamavNet Mailing Lists
Gets very bad ratings (low detection rate) in some AV comparisons.
"sudo apt install clamav"

To see update activity, "sudo journalctl | grep [Cc]lam".

I want to do manual scans only. Do "sudo freshclam -c 1" to update database, and limit update checks to 1/day (default is 24/day !). There is a constantly-running process "/usr/bin/freshclam -d --foreground=true" which is launched by /etc/init.d/clamav-freshclam.

In my home dir, did "sudo clamscan --infected --recursive ." It ran for over 6 hours (250K files), and threw some internal errors, maybe on big RAR files. But it finished, and found the malware test files I had.

Did "sudo clamscan --infected --recursive --exclude=/home --exclude=/dev --exclude=/sys --exclude=/timeshift /" It ran for over 2 hours (300K files) and found the EICAR test files I had.

9/2020: Did "flatpak install ClamTk". GUI app only, no CLI or man page. Start by updating signatures. Ran a scan, it found my test viruses, but also some false positives on other files. UI is a bit awkward: dialogs are small and can't be resized. Tried to use it again later and it didn't work. Removed flatpak and installed deb, which worked. Found lots of false-positives: it considers any JavaScript in a PDF and any LibreOffice macro to be "potentially unwanted".
chkrootkit:

chkrootkit Run "sudo chkrootkit".

It probably will say some system command is infected, but I think if all checks for specific rootkits come up negative, the system is fine. Also, someone said any time you have an executable file in /tmp it will report possible "Linux/Xor.DDoS" infection.

Run "sudo chkrootkit -r DIRNAME" to have it run as if DIRNAME is /, for testing purposes. But it only looks at specific places for specific rootkits, so you'd have to place each test rootkit in the appropriate place in that tree.
rkhunter:

Edit /etc/rkhunter.conf to change value of WEB_CMD from "/bin/false" (with quotes) to "curl" (without quotes).
Also set "UPDATE_MIRRORS=1" and "MIRRORS_MODE=0".
Delete the default mirrors file, /var/lib/rkhunter/db/mirrors.dat.
Run "sudo rkhunter -C" to re-read config file.
Run "sudo rkhunter --update". It should fetch a new copy of mirrors.dat.
If problems, look in /var/log/rkhunter.log.
If can't fetch update files, see if browser can get http://rkhunter.sourceforge.net/1.4/programs_bad.dat.

To do a check, run "sudo rkhunter -c". It probably will say some system commands are infected, and warn about other things, but I think if all checks for specific rootkits come up negative, the system is fine.

No way to check for rootkits in a particular directory tree; it only looks at specific places for specific rootkits. So it's hard to download a rootkit and test that rkhunter detects it. You'd have to create a simulated filesystem, copy rkhunter and some support apps and test rootkits to it in appropriate places, chroot to it, and run.

rkhunter

checksecurity:


sudo apt install checksecurity
# It installed the "logcheck" package, and created a new user "logcheck".
# Installed cron jobs to check for new setuid files, listeners, etc.
sudo grep -E 'logcheck|checksecurity' /etc/crontab /etc/cron.*/* /etc/anacrontab /var/spool/cron/crontabs/*

sudo edit /etc/checksecurity.conf
sudo less /etc/logcheck/logcheck.conf

# I think the first time you run it, it reports everything.
# On following runs, it only reports changes from previous state.
time sudo checksecurity


# Soon getting flooded with lots of email.  Change
# /etc/checksecurity.conf to check only passwords daily, rest weekly.

# But that didn't work, email is coming from logcheck.
sudo bash
sudo edit /etc/cron.d/logcheck
# commented out reboot line
# changed "2 *" to "0 11"; run once a day instead of once an hour

# Lots of UFW audit stuff being reported by logcheck.
# Ran "Firewall Configuration" and changed logging from medium to low.

Comodo:
Comodo

Downloaded .deb file from web site and opened it. Got an error that dependency on libssl0.9.8 (>= 0.9.8m-1) is not satisfiable. Tried "sudo apt install libssl1.0.0" and got "libssl1.0.0 is already the newest version (1.0.2n-1ubuntu5.2)". Searching, I see lots of people have had this error or other errors over the years.

Downloaded a file from Ubuntu universe and installed it.

Went to /opt/COMODO and ran "sudo ./post_setup.sh". When it tried to build and install a new kernel module for real-time protection, it failed horribly (fine with me, I don't want that), then the script ended with "success".

In /opt/COMODO, did "sudo ./cav", got GUI app. Updated database, but progress went to 89% and then whole OS froze. Rebooted, went to Comodo, it didn't want to run. Finally did post_setup.sh again, that seemed to fix it. Updated database and did a scan. GUI app opened a progress dialog that stayed on top of all other windows; annoying. Eventually I noticed a check-box right in the dialog to make that stop. It scanned 803K "objects" in 2 hours, then I stopped it. It found all the viruses and the EICAR files.

Later deleted it, but there's no uninstaller ? Services left running. Did:
```
sudo systemctl disable --now cmdavd.service
sudo systemctl disable --now cmdmgd.service
```
Tried it again 3/2020:
https://www.comodo.com/home/internet-security/antivirus-for-linux.php#bottom_free_download
They list Mint as a specific choice, but in small print mention "Mint 13" !
Got a deb file. Double-clicked, and it says "same version is already installed, reinstall package", maybe it sees remnants of old install ? It says "after install, run /opt/COMODO/post_setup.sh". But installation failed with apt-daemon error. I saw some other install fail that way, maybe there's a problem in my system.
F-PROT:

End-of-lifed 8/2020.
LMD (Linux Malware Detection):

rfxn / linux-malware-detect
Jahid Onik's "How to Install and Configure Linux Malware Detect (LMD)"

Installed by downloading it from GitHub, then "sudo ./install.sh". Then "sudo maldet --update-ver" and then "sudo maldet --update", both of which failed because "rfxn.com" is down. Then "sudo maldet -a /", which failed because apparently there is no signature file at all. A week later, "rfxn.com" still down. But then I found out it isn't down, somehow it's been mapped to localhost on my system, when Windscribe VPN is on. Turned off the VPN and was able to update. Found out that Windscribe VPN is blocking that domain; when it blocks something, it does it by mapping to localhost. Filed a Support ticket asking for it to be whitelisted.

Ran it on root, and it took 40 minutes just to make a file list of 310K files. Said it was going to use ClamAV's engine. I killed it and uninstalled it.
ESET NOD32 ($40/year, but search online for discount deals):

Being changed to no-code-updates as of 3Q2022 ?

ESET's "Antivirus for Linux desktop"
Gets near-top ratings in some AV comparisons.
Bitdefender ($80/year):

I think to do Linux, you have to do "Bitdefender GravityZone Business Security".
Microsoft Defender ATP:

An enterprise product that collects lots of behavioral data on a real-time basis from many apps, and looks for threats and threat patterns. Paid subscription.
article
Microsoft Project Freta:

Upload a VM image, or a snapshot of your system in RAM, to a web site for analysis for rootkits and malware etc. Free.
Robert Jefferson's "Microsoft has launched a Free Memory Forensics and Rootkit Detection Service for Linux"
Kaspersky Endpoint Security for Linux:
Part of bigger products.
"Endpoint Security for Business SELECT" costs $539/year for 10 nodes.
No single-user pricing.
Kaspersky KVRT scanner:
Download
Help
Free.
REVE:
$39/year.
Dr.Web:
€34/year.
IMUNIFY360:
Server only, and for older versions of Linux.

File Integrity Checkers:

Scan system files and report any changes, which might be due to malware.

AIDE:

AIDE
Takes a snapshot of your files and directories at a supposedly "good" state and then checks for any later changes.

Software Manager lists a "static" version and a "dynamic" version. No explanation of the difference. I installed the "dynamic" version. Nothing happened, no app called "aide" visible anywhere. Thought of installing the "static" version, and it says it will uninstall the "dynamic" version. Finally found it under "man aide".

Did "sudo aide --init", got "Couldn't open file /var/lib/aide/please-dont-call-aide-without-parameters/aide.db.new for writing". "sudo aide --config-check" gives nothing. "aide --version" says 'CONFIG_FILE = "/dev/null"'.

Read some threads online, tried "sudo apt install aide aide-common". It said it's removing aide-dynamic. Was asked to select email type; chose "no configuration". Then it configured a LOT of stuff. Ended and I'm not sure what to do. Tried "aide --check" and "aide --init", got same error message as before.

Tried "sudo aide.wrapper --init" per a thread, got various configuration-file errors.

Also saw in a thread "The explanation can be found in /usr/share/doc/aide-common/README.Debian.gz" which seems unpromising. Looked in there, it says aide is intended to be run as a daily cron job, so if you run from CLI you have to supply your own config file, it wants to send email to root, etc. Gave up on it at this point. Did "sudo apt remove aide-common aide" to get rid of it.
Open Source Tripwire:

tripwire-open-source
Michael Kwaku Aboagye's "Securing the Linux filesystem with Tripwire"
Takes a snapshot of your files and directories at a supposedly "good" state and then checks for any later changes.

Installed it through Software Manager. Let it create passphrases etc. Ran "sudo tripwire --init --verbose", and it asks for my "local passphrase", which I don't know. Eventually hit on "nothing" (Enter), and that worked. It started checking lots of files, but ended up in the "/proc" territory and died with "Software interrupt forced exit: Segmentation Fault [1] 6004 segmentation fault". Went into Software Manager and removed it.
Samhain:

Samhain
Takes a snapshot of your files and directories at a supposedly "good" state and then checks for any later changes. Also log file monitoring and analysis, rootkit detection, port monitoring, more.

Installed it through Software Manager. But installation failed with
"Job for samhain.service failed because a timeout was exceeded.
See "sudo systemctl status samhain.service --full --lines 1000" and "journalctl -xe" for details.
invoke-rc.d: initscript samhain, action "start" failed."

Then tried "sudo apt samhain" and that threw an error.
Did "sudo samhain -t update" and that threw errors.

But then my disk was pegged, 100% usage, and stayed that way for 2+ hours, with no sign of stopping. Rebooted, it continued. Uninstalled samhain, and it stopped.
Incron:

Jack Wallen's "How to Use Incron to Monitor Important Files and Folders"
Monit:

Monit
Afick:

AFICK (Another File Integrity ChecKer)
debsums:

Checks the md5-sums of your system-files against the hashes in the respective repos.
sudo apt install debsums
sudo debsums -ac
SysConfCollect (SCC):
Checks for changes in files and config settings and much more.

System Configuration Collector
SCC Home

Linux desktop README and modules I created: BillDietrich / SCC-Additions-for-Desktop-Linux

Later updated SCC by downloading a .src.tar.gz from https://sourceforge.net/projects/sysconfcollect/files/scc/current/ Extract files from it, cd into it, read the README, do "sudo ./scc-install"

Added to .profile:
```
export MANPATH="/opt/scc/man:$MANPATH"
```
fs-verity:

A kernel module, coming in 2022 ?
Fedora Wiki's "Changes/FsVerityRPM"
Snapper and filesystem snapshots:

Use Snapper to compare two snapshots in a filesystem such as Btrfs.
openSUSE: Snapper Tutorial

Testing your Anti-Virus

Michael Allen's "How to make sure your antivirus is working without any malware" (Windows)
EICAR Standard Anti-Virus Test File
Fortinet's "Test Your Metal" (browser fetches bad files from server, see if firewall or AV etc stops it)
Atomic Red Team

Web site that does various tests: AMTSO Security Features Check Tools

Where to get virus samples, to check your AV ?
MalShare
TekDefense
VirusShare.com
MalwareBazaar
theZoo
greg5678 / Malware-Samples (Linux only)
Packet Storm's "Unix rootkits" (have to compile some from source)

Keylogger:

Run a test program that does keylogging and see if your software detects/stops it:
Mike Williams' "How to test anti-keylogger software"
SpyShelter's "Security Test Tool"

Install a real keylogger and see if your software detects it:
Windows:
Spyrix Free Keylogger
Revealer Keylogger Free
StupidKeylogger
Linux:
lkl, uberkey, THC-vlogger, PyKeylogger, logkeys.

Malware Removal

Malware removal.

Malwarebytes
Spybot
/r/techsupport's "Official Malware Removal Guide"
Crapware or bloatware removal.

PC Decrapifier
Should I Remove It?
AdwCleaner

Miscellaneous

Aurelian Neagu's "10 Warning Signs That Your Computer is Malware Infected"

Humor: CyberWire's "The Malware Mash" (video)