LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 02-17-2006, 07:52 PM   #1
cbjhawks
Member
 
Registered: Oct 2001
Location: Overland Park, KS
Distribution: OpenSuSE 11.4
Posts: 363

Rep: Reputation: 30
Is this a false positive....A/V question


I have 4 machines:
Computer 1 has WinXP and Suse10 installed (same drv)
Computer 2 XP only
Computer 3 98SE only
Computer 4 Fedora4 only

I wanted to find a better A/V than what I was using for my XP machines (AVG 7 Free version)...so on Computer1 I uninstalled AVG and chose Bit Defender 9 Standard version (trial for 30 days)...upon installing BD9 I did a complete scan of Computer1 and it reported back with 4 virus' found.

The files were found on Disc3 of Fedora's ISO images (in My Doctuments folder) I used to burn a CD in order to install that distro on Computer4.

Bit Defender reported the following:
Trojan.Exploit.HTML.Iframe.Filedownload.AW (3 occurances on iso disc3)
Exploit.HTML.IFrame.FileDownload.E ( 1 occurance on iso disc3)

I Googled those messages and I'm not sure what I was reading, it appeared that it might not be a virus but a hole in the code used for Fedora4 that appears on my disc#3...but again I'm not sure. So I'm wondering if those were really virus' or that BD9 was just reporting a possible weakness in the code...follow? Any thoughts/links would be appreciated and thanks in advance
 
Old 02-17-2006, 07:56 PM   #2
XavierP
Moderator
 
Registered: Nov 2002
Location: Kent, England
Distribution: Lubuntu
Posts: 19,176
Blog Entries: 4

Rep: Reputation: 430Reputation: 430Reputation: 430Reputation: 430Reputation: 430
Which files did it report were viruses?
 
Old 02-17-2006, 08:27 PM   #3
soulestream
Member
 
Registered: Nov 2005
Posts: 183

Rep: Reputation: 30
it was probably a false positive. But where did you get the .iso's from. Did you get them from the repos or from another site?


soule
 
Old 02-19-2006, 08:02 AM   #4
cbjhawks
Member
 
Registered: Oct 2001
Location: Overland Park, KS
Distribution: OpenSuSE 11.4
Posts: 363

Original Poster
Rep: Reputation: 30
I got the iso images from Red Hat FTP site...here is the log for that particular scan...see summary section.


//-----------------------------------------------------------------
//
// Product: BitDefender 9 Standard
// Version: 9.0
//
// Created on: 17/02/2006 09:15:45
//
//-----------------------------------------------------------------


Statistics

Scan path : C:\
Folders : 3961
Files : 609182
Archives : 69581
Packed files : 19889
Identified viruses : 2
Infected files : 4
Warnings : 0
Suspect files : 0
Disinfected files : 0
Deleted files : 0
Copied files : 0
Moved files : 0
Renamed files : 0
I/O errors : 130
Scan time : 01:11:05
Scan speed (files/sec) : 142

Virus definitions : 260800
Scan plugins : 13
Archive plugins : 39
Unpack plugins : 4
Mail plugins : 6
System plugins : 1

Scan options

Detection
[X] Scan boot sectors
[X] Scan archives
[X] Scan packed files
[X] Scan email

File mask
[ ] Programs
[X] All files
[ ] User defined extensions:
[ ] Exclude extensions: ;

Action

Infected objects
[ ] Ignore
[X] Disinfect
[ ] Delete
[ ] Copy to quarantine
[ ] Move to quarantine
[ ] Rename
[ ] Prompt user

Second action
[ ] Ignore
[ ] Delete
[ ] Copy to quarantine
[X] Move to quarantine
[ ] Rename
[ ] Prompt user

Scan options
[X] Enable warnings
[X] Enable heuristics
[ ] Show all files in log
[X] Report file: C:\Program Files\Softwin\BitDefender9\Logs\vscan_1140189345.log


Summary:

C:\Documents and Settings\Mom-Dad\My Documents\Fedora Core 4\FC4-i386-disc3.iso=>Fedora/RPMS/mailman-2.1.5-35.fc4.i386.rpm=>mailman-2.1.5-35.fc4.gz=>FC4-i386-disc3.iso=>Fedora/RPMS/mailman-2.1.5-35.fc4.i386.rpm=>mailman-2.1.5-35.fc4=>./usr/lib/mailman/tests/msgs/nimda.txt=>(IFRAME) Infected: Trojan.Exploit.Html.Iframe.Filedownload.AW
C:\Documents and Settings\Mom-Dad\My Documents\Fedora Core 4\FC4-i386-disc3.iso=>Fedora/RPMS/mailman-2.1.5-35.fc4.i386.rpm=>mailman-2.1.5-35.fc4.gz=>FC4-i386-disc3.iso=>Fedora/RPMS/mailman-2.1.5-35.fc4.i386.rpm=>mailman-2.1.5-35.fc4=>./usr/lib/mailman/tests/msgs/nimda.txt=>(IFRAME) Disinfection failed
C:\Documents and Settings\Mom-Dad\My Documents\Fedora Core 4\FC4-i386-disc3.iso=>Fedora/RPMS/mailman-2.1.5-35.fc4.i386.rpm=>mailman-2.1.5-35.fc4.gz=>FC4-i386-disc3.iso=>Fedora/RPMS/mailman-2.1.5-35.fc4.i386.rpm=>mailman-2.1.5-35.fc4=>./usr/lib/mailman/tests/msgs/nimda.txt=>[Subject: C:\WINNT\mmc.exebqinsghtmstaskicwconnh][Date: Wed, 19 Sep 2001 10:54:11 +0900 (JST)]=>(MIME part)=>(IFRAME) Infected: Trojan.Exploit.Html.Iframe.Filedownload.AW
C:\Documents and Settings\Mom-Dad\My Documents\Fedora Core 4\FC4-i386-disc3.iso=>Fedora/RPMS/mailman-2.1.5-35.fc4.i386.rpm=>mailman-2.1.5-35.fc4.gz=>FC4-i386-disc3.iso=>Fedora/RPMS/mailman-2.1.5-35.fc4.i386.rpm=>mailman-2.1.5-35.fc4=>./usr/lib/mailman/tests/msgs/nimda.txt=>[Subject: C:\WINNT\mmc.exebqinsghtmstaskicwconnh][Date: Wed, 19 Sep 2001 10:54:11 +0900 (JST)]=>(MIME part)=>(IFRAME) Disinfection failed
C:\Documents and Settings\Mom-Dad\My Documents\Fedora Core 4\FC4-i386-disc3.iso=>Fedora/RPMS/mailman-2.1.5-35.fc4.i386.rpm=>mailman-2.1.5-35.fc4.gz=>FC4-i386-disc3.iso=>Fedora/RPMS/mailman-2.1.5-35.fc4.i386.rpm=>mailman-2.1.5-35.fc4=>./usr/lib/mailman/tests/msgs/nimda.txt=>[Subject: C:\WINNT\mmc.exebqinsghtmstaskicwconnh][Date: Wed, 19 Sep 2001 10:54:11 +0900 (JST)]=>(MIME part)=>(MIME part)=>(IFRAME) Infected: Trojan.Exploit.Html.Iframe.Filedownload.AW
C:\Documents and Settings\Mom-Dad\My Documents\Fedora Core 4\FC4-i386-disc3.iso=>Fedora/RPMS/mailman-2.1.5-35.fc4.i386.rpm=>mailman-2.1.5-35.fc4.gz=>FC4-i386-disc3.iso=>Fedora/RPMS/mailman-2.1.5-35.fc4.i386.rpm=>mailman-2.1.5-35.fc4=>./usr/lib/mailman/tests/msgs/nimda.txt=>[Subject: C:\WINNT\mmc.exebqinsghtmstaskicwconnh][Date: Wed, 19 Sep 2001 10:54:11 +0900 (JST)]=>(MIME part)=>(MIME part)=>(IFRAME) Disinfection failed
C:\Documents and Settings\Mom-Dad\My Documents\Fedora Core 4\FC4-i386-disc3.iso=>Fedora/RPMS/mailman-2.1.5-35.fc4.i386.rpm=>mailman-2.1.5-35.fc4.gz=>FC4-i386-disc3.iso=>Fedora/RPMS/mailman-2.1.5-35.fc4.i386.rpm=>mailman-2.1.5-35.fc4=>./usr/lib/mailman/tests/msgs/nimda.txt=>[Subject: C:\WINNT\mmc.exebqinsghtmstaskicwconnh][Date: Wed, 19 Sep 2001 10:54:11 +0900 (JST)]=>(MIME part)=>(MIME part)=>(message body) Infected: Exploit.HTML.Iframe.FileDownload.E
 
Old 02-21-2006, 07:50 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,822
Blog Entries: 54

Rep: Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992Reputation: 2992
C:\Documents and Settings\Mom-Dad\My Documents\Fedora Core 4\FC4-i386-disc3.iso=>Fedora/RPMS/mailman-2.1.5-35.fc4.i386.rpm=>mailman-2.1.5-35.fc4.gz=>FC4-i386-disc3.iso=>Fedora/RPMS/mailman-2.1.5-35.fc4.i386.rpm=>mailman-2.1.5-35.fc4=>./usr/lib/mailman/tests/msgs/nimda.txt=>[Subject:
And the directoryname doesn't give you any clues?..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
question about /bin/false usage slacknewbie2 Slackware 4 02-15-2006 11:25 AM
Snort: Block False Positive from Dlink Wireless Router omICron Linux - Security 1 01-01-2005 02:41 AM
question about /etc/false notstrider Debian 2 10-23-2004 01:52 AM
'Chkrootkit 0.43' false positive? Mr. Gone Linux - Security 2 03-09-2004 10:16 AM
'Chkrootkit 0.43' false positive? Mr. Gone Linux - Security 0 03-08-2004 09:06 AM


All times are GMT -5. The time now is 07:29 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration