View previous topic :: View next topic |
Author |
Message |
jagdpanther l33t
Joined: 22 Nov 2003 Posts: 729
|
Posted: Sat Jul 14, 2018 3:51 am Post subject: clamav shows a trojan in stage3 2018-07-12 file |
|
|
I down loaded the amd64 stage 3 file
http://distfiles.gentoo.org/releases/amd64/autobuilds/20180712T214503Z/stage3-amd64-20180712T214503Z.tar.xz for a new system build tomorrow. I ran 'tar xJf' on that file as a regular user. (Yes, I expected the /dev/ files to fail.)
Then I ran 'clamscan -r -i' on the upper most directory and I keep getting one hit:
Code: | usr/bin/xzdec: Unix.Trojan.Vali-6606621-0 FOUND |
I am not feeling good about building a new system tomorrow. Should I wait for another stage3 ? |
|
Back to top |
|
|
Chiitoo Administrator
Joined: 28 Feb 2010 Posts: 2571 Location: Here and Away Again
|
Posted: Sat Jul 14, 2018 5:38 am Post subject: ><)))°€ |
|
|
I'm inclined to believe that to be a false positive, but you never know. :]
For the sake of curiosity, I tested scanning the file too, two times.
First, with a “virus database is older than 7 days” (did not check how old, possibly one month almost exactly), and did not detect anything.
After a 'freshclam', however, I got what you got, so it's rather new what ever it is.
Might submit a suspected false positive report (or to confirm it's indeed bad report). _________________ Kindest of regardses. |
|
Back to top |
|
|
Maitreya Guru
Joined: 11 Jan 2006 Posts: 441
|
|
Back to top |
|
|
bunder Bodhisattva
Joined: 10 Apr 2004 Posts: 5934
|
Posted: Sat Jul 14, 2018 12:32 pm Post subject: |
|
|
FWIW...
Code: | main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
daily.cld is up to date (version: 24751, sigs: 2013133, f-level: 63, builder: neo)
bytecode.cld is up to date (version: 324, sigs: 89, f-level: 63, builder: neo)
|
Code: | bloomfield ~ # clamscan -i /usr/bin/xzdec
----------- SCAN SUMMARY -----------
Known viruses: 6573260
Engine version: 0.100.1
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.01 MB
Data read: 0.01 MB (ratio 1.00:1)
Time: 23.375 sec (0 m 23 s)
bloomfield ~ # equery belongs /usr/bin/xzdec
* Searching for /usr/bin/xzdec ...
app-arch/xz-utils-5.2.3 (/usr/bin/xzdec)
bloomfield ~ # equery l -op xz-utils
* Searching for xz-utils ...
[IP-] [ ] app-arch/xz-utils-5.2.3:0
[-P-] [ ~] app-arch/xz-utils-5.2.4-r2:0
[-P-] [ -] app-arch/xz-utils-9999:0
|
https://ask.fedoraproject.org/en/question/123957/clamtk-scan-anomaly/
https://lists.debian.org/debian-user/2018/07/msg00579.html _________________
Neddyseagoon wrote: | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017
Last edited by bunder on Sun Jul 15, 2018 11:45 pm; edited 2 times in total |
|
Back to top |
|
|
Fitzcarraldo Advocate
Joined: 30 Aug 2008 Posts: 2034 Location: United Kingdom
|
Posted: Sat Jul 14, 2018 2:20 pm Post subject: |
|
|
I checked the same Gentoo Stage 3 download using the version of ClamAV on a Lubuntu installation (0.99.4, the same as the latest Gentoo Stable version), and it also flagged the same file:
Code: | Sat Jul 14 14:46:13 2018 -> ClamAV update process started at Sat Jul 14 14:46:13 2018
Sat Jul 14 14:46:13 2018 -> WARNING: Your ClamAV installation is OUTDATED!
Sat Jul 14 14:46:13 2018 -> WARNING: Local version: 0.99.4 Recommended version: 0.100.1
Sat Jul 14 14:46:13 2018 -> DON'T PANIC! Read http://www.clamav.net/documents/upgrading-clamav
Sat Jul 14 14:46:13 2018 -> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
Sat Jul 14 14:46:15 2018 -> Downloading daily-24752.cdiff [100%]
Sat Jul 14 14:46:18 2018 -> daily.cld updated (version: 24752, sigs: 2013390, f-level: 63, builder: neo)
Can't query daily.24752.85.1.0.6810BA8A.ping.clamav.net
Sat Jul 14 14:46:18 2018 -> bytecode.cld is up to date (version: 324, sigs: 89, f-level: 63, builder: neo)
Sat Jul 14 14:46:21 2018 -> Database updated (6579728 signatures) from db.local.clamav.net (IP: 104.16.186.138) |
Code: | ClamTk, v5.25
Sat Jul 14 15:02:10 2018
ClamAV Signatures: 6579639
Directories Scanned:
/home/fitzcarraldo/downloaded-gentoo-files/usr/bin
Found 1 possible threat (51374 files scanned).
/home/fitzcarraldo/downloaded-gentoo-files/usr/bin/xzdec Unix.Trojan.Vali-6606621-0
---------------------------------------------------------------------- |
Whereas bunder's results are for ClamAV 0.100.1 (the latest Testing version in Gentoo), which gives the file the all-clear. So it looks like it could be the version of the ClamAV application, not the signatures, that is at fault. _________________ Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog |
|
Back to top |
|
|
jagdpanther l33t
Joined: 22 Nov 2003 Posts: 729
|
Posted: Sun Jul 15, 2018 1:06 am Post subject: |
|
|
Although it appears that the clamav 'hit' on /usr/bin/xzdec is a false positive, I noticed that on my old Gentoo system that is up to date (software wise, not hardware) does not trip clamav. So before I ran the chroot command on the new system, during the install, I just replaced the stage3 provided xzdec with the one from my old system. (Both are x86_64). They are a few bytes different in size and I suspect that my CFLAGS (and perhaps some useflag) settings account for the difference in size. |
|
Back to top |
|
|
krinn Watchman
Joined: 02 May 2003 Posts: 7470
|
Posted: Sun Jul 15, 2018 2:07 pm Post subject: |
|
|
You might also look at the trojan effect, it generally define its nature. While this one is name "Unix" it still seems that it's one for Windows and not nix.
And finding its partern inside an elf format file is then a false positive. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|