LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 11-13-2009, 02:23 AM   #1
Lancelot1
Member
 
Registered: Dec 2007
Location: Amsterdam
Distribution: (K)Ubuntu
Posts: 102

Rep: Reputation: 15
Thumbs down security issue or not? And if so what to do?


Hi there,

I have installed ultimate ubuntu 9.04 on my pc and after running KlamAV there seems to be no problem. Then when I update linux using the standard repositories for this release I get alot of so called threads/warnings regarding encrypted.zip files. I have googled for it on the ClamAV site and in it's known threads/virus database and couldn't find anything.

There seems to be an issue as I see through firestarter alot of connection attemps to known virus ports (I am running a p2p file sharing program (transmission)).

Do I need to quaranteen these files (some files belong to KlamAV itself which prevent me from running it any longer).

I am a bit puzzeled by this all as I know the p2p isn't the issue and the update of ubuntu (also clamAV) shouldn't be such a big issue

cheers any help is welcome
 
Old 11-13-2009, 06:23 AM   #2
Lancelot1
Member
 
Registered: Dec 2007
Location: Amsterdam
Distribution: (K)Ubuntu
Posts: 102

Original Poster
Rep: Reputation: 15
Ok found this in an other small linux forum:

quote: Posted 20 September 2008 - 11:21 AM
I think that ClamAV has a tendancy for false positives.

On my install of KlamAV, I have the boxes unchecked for:
* Treat a Broken Executable as a Virus
* Mark Encrypted Files as Suspicious

Is this wise? The reason seams obvious. I don't want to be allowing stupid things happening to my pc that could have been prevented. Too many virusses can do to much damage.

Anyway anyone here with more klamAV/clamAV experience and on how to go about this. Still curious why a clean install gives no virus and after an update there are more then 50 (mostly encrypted files) warnings.
 
Old 11-13-2009, 09:05 AM   #3
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by Lancelot1 View Post
Ok found this in an other small linux forum:

quote: Posted 20 September 2008 - 11:21 AM
I think that ClamAV has a tendancy for false positives.

On my install of KlamAV, I have the boxes unchecked for:
* Treat a Broken Executable as a Virus
* Mark Encrypted Files as Suspicious

Is this wise? The reason seams obvious. I don't want to be allowing stupid things happening to my pc that could have been prevented. Too many virusses can do to much damage.

Anyway anyone here with more klamAV/clamAV experience and on how to go about this. Still curious why a clean install gives no virus and after an update there are more then 50 (mostly encrypted files) warnings.
I'm not familiar with ClamAV or its variants but you probably need to determine if the software is alerting on the facts that, 1) its treating all broken executables as viruses and not doing any actual analysis, or, 2) it is marking encrypted files as suspicious without conducting actual analytics. To me, these are big deals. Just because a file is broken or encrypted doesn't mean it is malicious. Maybe conduct searches on the file names that are flagged by ClamAV to determine if the software normally shows the files as suspicious...that would be a good start.

Case in point: I've a work machine with some forensics files on a drive and every time Symantec scans these files, it flags and locks them down, when I know for a fact they are legit. Sometimes AV tools are dumb like that, but its up to you to apply the human factor and determine if the AV tool is generating false positives.

Just my thoughts...
 
Old 11-13-2009, 09:36 AM   #4
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
Quote:
Originally Posted by unixfool View Post
I'm not familiar with ClamAV or its variants but you probably need to determine if the software is alerting on the facts that, 1) its treating all broken executables as viruses and not doing any actual analysis, or, 2) it is marking encrypted files as suspicious without conducting actual analytics. To me, these are big deals. Just because a file is broken or encrypted doesn't mean it is malicious. Maybe conduct searches on the file names that are flagged by ClamAV to determine if the software normally shows the files as suspicious...that would be a good start.

Case in point: I've a work machine with some forensics files on a drive and every time Symantec scans these files, it flags and locks them down, when I know for a fact they are legit. Sometimes AV tools are dumb like that, but its up to you to apply the human factor and determine if the AV tool is generating false positives.

Just my thoughts...
The borken files the case is true, it should be able to still scan it but with the encrypted files it could scan it but what good would it do?

Its could be an encrypted container with 10 different viruses in it and it would not know or it could just be your bank statements that your protecting. Either way its just alerting them to you so that you know they exist.

the problem with forensic tools is that most are now being reported to the AV companies as a exploit so that they can remove them if they find them on the system cause the some of the same tools you use are the same ones the attackers use.

Last edited by slimm609; 11-13-2009 at 09:39 AM.
 
Old 11-13-2009, 11:52 AM   #5
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by slimm609 View Post
The borken files the case is true, it should be able to still scan it but with the encrypted files it could scan it but what good would it do?

Its could be an encrypted container with 10 different viruses in it and it would not know or it could just be your bank statements that your protecting. Either way its just alerting them to you so that you know they exist.

the problem with forensic tools is that most are now being reported to the AV companies as a exploit so that they can remove them if they find them on the system cause the some of the same tools you use are the same ones the attackers use.
Understood.

There's not much that can be done with encrypted files from the AV standpoint, other than alert on them because they can't be thoroughly scanned. It is up to the user to investigate these files and where they originated from.

As with the forensics example, I've also seen it happen with several non-forensics tools. As another example, I've seen RAdmin being reported as a hacking tool when used on a customer's internal network. When escalating this to the customer, they verified that an admin was remoted into another machine on the same network and was performing system maintenance...false positive. A legitimate tool can be abused, yeah, but to apply a blanket statement that the tool itself is a trojan just because it has been used to take over a misconfigured application does not mean that every time it is used, the AV alarms on the traffic.

The biggest problem is that applications that determine what's good and what's bad aren't always right. I say this as a person who was charged with running an enterprise AV solution. Trust me when I say that there were many times when the solution would not work properly. When alerts are sent that indicate badness on a tool that you KNOW has not been corrupted or is NOT malicious, it devalues the trust of AV. The same applies for any security tool, as IDSs and IPSs are not fallible, either (this opinion is based on professional use). I definitely support the human factor when using such tools. They may help in many cases, but they can also be a big PITA.

The most important thing that the OP should do is to research the files and how ClamAV normally handles such files. I doubt that his system updates are valid alerts, unless he's using some rogue repository. We won't know until he reports back, though.

Last edited by unixfool; 11-13-2009 at 11:54 AM.
 
Old 11-14-2009, 07:51 AM   #6
Lancelot1
Member
 
Registered: Dec 2007
Location: Amsterdam
Distribution: (K)Ubuntu
Posts: 102

Original Poster
Rep: Reputation: 15
Anyway we are diverting a bit from this investigation as it hasn't to do with any forensics stuff although this is sometimes good to know.

The issue seems to be after some trial and error that some repository IS responsible for the encrypted files or the false positive. I found that the files that where encrypted nearly all on the /usr/bin or /usr/share or /usr/lib directories.

Now to somehow exclude repositories and/or include the repository that updates klamAV/clamAV I have installed a fresh install on a Vbox and am going to run every repository update seperatly to watch for possible virus alerts. I also as a last update will update the clamAV and then scan for the encrypted files.

I will find either a virus alert during the update of distro and/or 3rd party software (repository) or the virus alerts during a scan with the updated clamAV version.

BTW I found after comparing the files before and after update that no modification date changed, just the permission date. I am getting the impression that the new clamAV files have a false positive alert in them.

But first things first:

1. basic update -- scan
2. 3rd party update -- scan
3. update of klamAV/clamAV -- scan

Will be back
 
Old 11-15-2009, 03:02 AM   #7
Lancelot1
Member
 
Registered: Dec 2007
Location: Amsterdam
Distribution: (K)Ubuntu
Posts: 102

Original Poster
Rep: Reputation: 15
ok after some updates and scans I discovered that the update from the ubuntu 9.04 clamAV to the recommended clamAV files gave the problem.

IE when updating the 4 files:

clamav
clamav-base
clamav-freshclam
libclamav6

the scans reported the encrypted files. Now there is an issue are these files giving false positives or are they real?

Any idea coz this does seem an issue when you want to rely on this anti-virus software?

cheers
 
Old 11-15-2009, 12:48 PM   #8
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by Lancelot1 View Post
Anyway we are diverting a bit from this investigation as it hasn't to do with any forensics stuff although this is sometimes good to know.
The forensics example was just that...an example. I can swap the forensics tool within the example with, for instance, ClamAV, and it mirrors your issue, no? The example was meant to explain that tools such as AV sometimes generate false alarms on legit tools. Also, if you look at the last paragraph of my last post, you'd see that I gave you a direction to go. I addressed slimm609's comments in the upper part of the post while giving you some guidance in the lower part of the post. It is up to the reader to filter what they need from any post and I felt the need to fork away from your question, although I still addressed the issue in a separate part of the post.

Quote:
Originally Posted by Lancelot1 View Post
ok after some updates and scans I discovered that the update from the ubuntu 9.04 clamAV to the recommended clamAV files gave the problem.

IE when updating the 4 files:

clamav
clamav-base
clamav-freshclam
libclamav6

the scans reported the encrypted files. Now there is an issue are these files giving false positives or are they real?

Any idea coz this does seem an issue when you want to rely on this anti-virus software?

cheers
It is weird that ClamAV is alerting on itself, but that doesn't mean that the alert isn't valid. In fact, that would be a VERY good vector for a piece of malware to insert its way into a system.

Compare the hashes of the files on the repository with the ones you've gotten from the update to determine the trustworthiness of the files. If they match and you still think something is hokey, ask the repository maintainer to look into the integrity of these files. If he/she can validate that they're OK, then ClamAV may be the issue. Of course, you can also compare the files yourself by running 'diff' on the code, I guess, but that may present challenges.

Note that this is all just my 2 cents. slimm609's and anyone else's comments may serve you just as well. Do what you feel is necessary to solve the issue based on input from others. Just keep in mind that the LQ pool of security knowledge is vast and you may receive quite a few recommendations based on problems you present to the forums. Some may work for you while others may not, but it is up to you to determine what may be best for your situation.

Last edited by unixfool; 11-15-2009 at 12:50 PM. Reason: edited for clarity...
 
Old 11-16-2009, 03:59 PM   #9
Lancelot1
Member
 
Registered: Dec 2007
Location: Amsterdam
Distribution: (K)Ubuntu
Posts: 102

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by unixfool View Post
The forensics example was just that...an example.
Yes I know, and it is clear to me. For me it is easier as someone doing this for a living to stay focused. So I sometimes cut off examples to go "back to the herd" so to say.

Quote:
Originally Posted by unixfool View Post
It is up to the reader to filter what they need from any post and I felt the need to fork away from your question, although I still addressed the issue in a separate part of the post.
Yes also I know and it is much appreciated.

Quote:
Originally Posted by unixfool View Post
It is weird that ClamAV is alerting on itself, but that doesn't mean that the alert isn't valid. In fact, that would be a VERY good vector for a piece of malware to insert its way into a system.
Yup agree 100%

Quote:
Originally Posted by unixfool View Post
Compare the hashes of the files on the repository with the ones you've gotten from the update to determine the trustworthiness of the files.
And this is what I needed although I will go a different way. The files that got a "warning" where mostly not the files that where updated. So I was thinking the 4 "recommended updates" from clamAV could be the issue. I will go and check their hashes and/or validity. As it is only 4 files this would make things easier. Also although this is not a 100% valid research alot of the files I did check on size, date stamp, authorisation etc. and they did not change before or after the update. So unless the whole distro is corrupt (unlikely imho) I tend to trust them.
This however doesn't mean that there is nothing wrong. Because for some reason I am getting these alerts.

Will post back or update to 9.10 and see how that goes.

thanks for now
 
  


Reply

Tags
clamav, klamav


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Help required with a security issue? NuLLiFiEd Linux - Security 4 12-27-2004 09:20 AM
security issue? network casey24601 Linux - Security 2 11-04-2004 05:56 PM
webmin issue, poss security issue bejiita Slackware 3 11-03-2004 06:07 AM
Directory security issue malcie Linux - Newbie 4 07-18-2003 07:10 AM
Security issue.. marcoc Linux - Newbie 8 05-01-2002 06:14 AM


All times are GMT -5. The time now is 09:35 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration