LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-02-2016, 09:11 PM   #1
mikew9
LQ Newbie
 
Registered: Sep 2016
Posts: 7

Rep: Reputation: Disabled
Why does clamav includes windows viruses?


In thee past when I was using pclinuxos, they didn't have clamav in the repos, so I installed clamav via a tarball downloaded from the official home page. After installing it and doing a scan, it found some viruses, but they were in the clamav directory where I untar it. They were .exe files. I deleted them and ran the scan again and this time, 0 infected files found.

In January of this year, I installed clamav again, this time from the pclinuxos repos. They finally had it.

This month, I came across another popular antivirus program called Comodo at https://www.comodo.com/home/internet...-for-linux.php

After installing it, I did a scan with comodo and it found 11 viruses with .exe files in shared folders from clamav. This version of clamav was installed from the pclinuxos repos.

Question is, what is the purpose of these .exe viruses that clamav includes when installing clamav? Is this intentional or is it using these viruses as a reference for virus signatures or fingerprints.

I am

Anyway, I'm sticking with comodo. I don't trust clamav anymore.

PS: I am using antivirus software because my computer which runs linux, the greatest os in thee world, is networked with other windows machines.

Also, there are sites that still use flash and java. And I access these types of sites from time to time.

Last edited by mikew9; 09-02-2016 at 09:21 PM.
 
Old 09-02-2016, 09:38 PM   #2
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Debian, Mint, OpenBSD
Posts: 11,332
Blog Entries: 12

Rep: Reputation: 2727Reputation: 2727Reputation: 2727Reputation: 2727Reputation: 2727Reputation: 2727Reputation: 2727Reputation: 2727Reputation: 2727Reputation: 2727Reputation: 2727
What were the names of some of those *.exe files? False positives are hardly rare in virus detection.
 
Old 09-02-2016, 10:27 PM   #3
Emerson
LQ Guru
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~arch
Posts: 5,872

Rep: Reputation: Disabled
Probably some quarantined files from past scans.
 
Old 09-02-2016, 10:43 PM   #4
mikew9
LQ Newbie
 
Registered: Sep 2016
Posts: 7

Original Poster
Rep: Reputation: Disabled
@ frankbell
@ Emerson

When I ran Comodo antivirus, it found all 11 viruses in the /usr/share/doc/clamav/test/ directory.

frankbell, you were right. These 11 so-called viruses are false positives. I found a similar forum thread, when you install clamav it installs the test package. In the forum, they mentioned that these test viruses are fake viruses.

Either way, I am not taking a chance. After Comodo has quarantine them, I elected to delete them as well.

Last edited by mikew9; 09-02-2016 at 10:49 PM.
 
Old 09-02-2016, 11:06 PM   #5
Emerson
LQ Guru
 
Registered: Nov 2004
Location: Saint Amant, Acadiana
Distribution: Gentoo ~arch
Posts: 5,872

Rep: Reputation: Disabled
What's your concern? I have had fun with clamav in past, extracting Windows viruses from my browser cache. Got bored and stopped that.
 
Old 09-02-2016, 11:48 PM   #6
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Debian, Mint, OpenBSD
Posts: 11,332
Blog Entries: 12

Rep: Reputation: 2727Reputation: 2727Reputation: 2727Reputation: 2727Reputation: 2727Reputation: 2727Reputation: 2727Reputation: 2727Reputation: 2727Reputation: 2727Reputation: 2727
Glad we could help. I can certainly understand your wanting to find out what was going on.

Emerson, I should have thought of the quarantine thingee. I was kicking myself when I saw your post.

As an aside, I've never quite understood that quarantine thing. I guess it makes sense if there's a chance you might wish to send the suspect file in for analysis, but deleting has always been my first choice. To quote Country Joe and the Fish, "Get that thing right out of here."
 
Old 09-03-2016, 05:03 AM   #7
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 5,990

Rep: Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611
Since they're in a directory called "test" and they "test" positive that suggests that they for testing purposes. It's probably a good idea after installing an anti-virus program to check that it is actually scanning things so including test files to test it makes sense if you want to test it somehow.
See also EICAR test file for testing using test scans that your AV is working.
 
Old 09-03-2016, 05:04 AM   #8
ondoho
Senior Member
 
Registered: Dec 2013
Posts: 4,159

Rep: Reputation: 822Reputation: 822Reputation: 822Reputation: 822Reputation: 822Reputation: 822Reputation: 822
Quote:
Originally Posted by mikew9 View Post
After installing it, I did a scan with comodo and it found 11 viruses with .exe files in shared folders from clamav.
i think it makes sense that a virus scanner sees a virus program's executables as a potential threat.

you should also check the other way round, if clamav recognizes comodo's files as a potential thread.
 
Old 09-03-2016, 08:26 PM   #9
mikew9
LQ Newbie
 
Registered: Sep 2016
Posts: 7

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by 273 View Post
Since they're in a directory called "test" and they "test" positive that suggests that they for testing purposes. It's probably a good idea after installing an anti-virus program to check that it is actually scanning things so including test files to test it makes sense if you want to test it somehow.
See also EICAR test file for testing using test scans that your AV is working.
I agree. I like to have an AV program in linux. No operating system is immune to viruses and malware. Many say linux doesn't need AV programs because there isn't much virus/malware in the wild for linux as there is for the windows operating systems.

In fact, many people say AV programs are really for linux servers that host file sharing between linux and windows users.

Quote:
Originally Posted by ondoho View Post
i think it makes sense that a virus scanner sees a virus program's executables as a potential threat.

you should also check the other way round, if clamav recognizes comodo's files as a potential thread.
I did. 0 infected files. : )
 
Old 09-03-2016, 08:33 PM   #10
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 5,990

Rep: Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611
Quote:
Originally Posted by mikew9 View Post
In fact, many people say AV programs are really for linux servers that host file sharing between linux and windows users.
That is what ClamAV, in the main, is for -- hence the Windows executables as examples.
 
Old 09-03-2016, 09:15 PM   #11
Fred Caro
Member
 
Registered: May 2007
Posts: 999

Rep: Reputation: 166Reputation: 166
The .exe viruses will linger in caches unless you empty them. Quarantine, probably just changes the executable path.

Perhaps you should be looking for something that stops unwanted packets getting in, not neutralizing them when they have.

Fred.
 
Old 09-03-2016, 09:24 PM   #12
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 5,990

Rep: Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611
Quote:
Originally Posted by Fred Caro View Post
The .exe viruses will linger in caches unless you empty them. Quarantine, probably just changes the executable path.

Perhaps you should be looking for something that stops unwanted packets getting in, not neutralizing them when they have.

Fred.
Surely the test files in the path with "test" in it are to test the software in case a test shows that it doesn't work as it should when scanning test files?
Oh, sorry, did I forget to type "test", I meant to type test but, perhaps, I thought I typed "test" but didn't actually type "test" but just tested typing "test" instead?
 
Old 09-03-2016, 10:25 PM   #13
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 7,151

Rep: Reputation: 2203Reputation: 2203Reputation: 2203Reputation: 2203Reputation: 2203Reputation: 2203Reputation: 2203Reputation: 2203Reputation: 2203Reputation: 2203Reputation: 2203
Why bother with ClamAV, or any so-called "anti-virus software," at all?
 
Old 09-03-2016, 10:29 PM   #14
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Debian, Mint, OpenBSD
Posts: 11,332
Blog Entries: 12

Rep: Reputation: 2727Reputation: 2727Reputation: 2727Reputation: 2727Reputation: 2727Reputation: 2727Reputation: 2727Reputation: 2727Reputation: 2727Reputation: 2727Reputation: 2727
Quote:
Why bother with ClamAV, or any so-called "anti-virus software," at all?
In my case, it's because a long time ago I promised myself that I would never connect to the internet unless I had an AV installed. That was about the time that Linux first became a thing and I was fighting with a virus (granted, it was on a floppy and was blocked by F-Prot, but even so . . . ). When using Linux, though, I must admit that I don't always keep that promise.
 
Old 09-03-2016, 10:30 PM   #15
273
LQ Addict
 
Registered: Dec 2011
Location: UK
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 5,990

Rep: Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611Reputation: 1611
Quote:
Originally Posted by sundialsvcs View Post
Why bother with ClamAV, or any so-called "anti-virus software," at all?
To ensure that files served by one's Linux server don't infect Windows clients they are served to?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: How to scan for viruses with ClamAV on Ubuntu LXer Syndicated Linux News 0 07-30-2015 12:40 PM
LXer: Windows and Viruses LXer Syndicated Linux News 0 05-07-2009 03:30 PM
Does ClamAV on *NIX also detect windows viruses? ciden Linux - Software 1 04-12-2008 04:40 AM
Linux vs. Windows Viruses procfs Linux - Security 8 04-21-2006 04:35 PM
windows viruses a threat? haywood Linux - Newbie 3 12-11-2004 03:23 AM


All times are GMT -5. The time now is 10:40 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration