AVG Anti virus
 

I downloaded AVG anti virus for Suse Linux. It installed without any problems and did a scan of my hard disk and identified two virus'. But it did not clean or quarantine the files. THe files look legit to me What do I do?

Following are the files supposed to be infected:

/lib/modules/2.6.25.18-0.2-default/kernel/drivers/scsi/scsi_mod.ko
/lib/modules/2.6.25.18-0.2-default/kernel/drivers/scsi/scsi_transport_fc.ko


Please advice

Thank you!

I doubt they're infected but it would be better though to provide details that actually help determine their state, like tell us what AVG version you're using, if you used current signatures, what the actual message was and the result of verifying these files with your package manager.

I'm willing to bet you've got heuristic scanning enabled in AVG, and that disabling it would cause the infection warning to vanish (which would provide near certainty that this is a false positive). But regardless of whether that's the case or not, you should have your package manager verify the files (as suggested by unSpawn). BTW, if I was you I'd boot a live CD, mount the drive read-only, and then get a sha1sum of the two files in order to compare with the sha1sum of the ones in the original package, which I presume is this one (I'm not sure).

Still the same message
 

Hi, Thank you guys for your messages.

I disabled the Heuristic analysis and scanned again but received the same error message. Which is "Virus found downloader.Obfuskated" against these two files.

I am fairly new to Linux. I do not know how to compare files. When I looked at the files from my hard drive and the link that you sent me, the only difference I see is the file size.

Scsi_transport_fc.ko on PC is 92.6KB on the link 56.9KB
Scsi_mod.ko on PC is 293.2KB on the link 191.1KB

Now this may be because the link you sent me is i586 and my PC is different, I assume it is x86_64. If there is a way I can confirm this please tell me?

Also how do I check the file on the installation DVD?

Pardon my ignorance!

Thank you in advance for your help with this matter

You can download the x86_64 equivalent here.

To use sha1sum to check whether two files are exactly the same you do a:This example would give you the SHA1 checksum for the example.txt file.

BTW, everything I've seen after googling that virus name indicates this is a 100% Windows virus, which makes it even more likely this is a false positive. In any case, you're definitely not the only one seeing AVG display this behavior on Linux. I'm guessing there's something about the SCSI code which makes it look like that virus. But do the checksum to be sure, of course.

Hi,

Thank you for your insights. I am a bit more peaceful now. Seems like a windows virus.

How do I do the sha1sum test? Do I type this in the gnome terminal or elsewhere!

Also do you know of any virus scanners that would work on Suse 11?

Cheers,

You should verify the integrity of those files before declaring peace! :)

Yes, you can use GNOME terminal (or any other terminal emulator).

The only antivirus I use is ClamAV (it works on any distro, and it's free (as in freedom), which is important to me). Unlike you, I don't use it to scan the system - I just scan files I download (or that people give me) before using them. For making sure my system's integrity hasn't been compromised I instead rely on a HIDS (Tripwire in my particular case).

(BTW, you shouldn't have to use sha1sum, if the kernel installed (run 'rpm -q kernel') for example returns "kernel-default-2.6.25" you should be able to verify the package contents by running 'rpm -qVv kernel-default-2.6.25'.)

I used the Gnome terminal and this is the result - on my pc 5d2b4589a01282df406ae4971ddbdcf192d795db – scsi_transport_fc.ko
ddcfb05f56380bfb76e30ba700cd0f2cafd8e67d – scsi_mod.ko

I do not know how to test the kernel I downloaded using the link you provided so I copied only the two files I needed to compare to a temperory directory and did the sha1sum test and the result -
b770ba73bec92822e25ec0dd02ad2d8972a278fe – scsi_mod.ko
3f40c7f3c7d6c58e3ac8083e425536df21b413d3 - scsi_transport_fc.ko

I do not know what to make of this. I also ran the AVG to check the temperory directory where I copied the two files and it came as infected.

One more change I noticed was the directory.
Previously it was -
/lib/modules/2.6.25.18-0.2-default/kernel/drivers/scsi/scsi_mod.ko
/lib/modules/2.6.25.18-0.2-default/kernel/drivers/scsi/scsi_transport_fc.ko

Now
/lib/modules/2.6.25.20-0.1-default/kernel/drivers/scsi/scsi_mod.ko
/lib/modules/2.6.25.20-0.1-default/kernel/drivers/scsi/scsi_transport_fc.ko

I have clamav - I checked the files with that and seems fine. But I was told to use it only to scan windows files. Since I dont have windows I never used it.

How do I obtain a HIDS tool?

Also as unSpawn said I ran both (run 'rpm -q kernel') and ('rpm -qVv kernel-default-2.6.25'.) it did not yield any results.

Sorry this is so long. Hope you can shed some light into this.

Cheers,

Sounds like your kernel package was upgraded.

The directory containing the files I linked shows this new version of yours is indeed the current latest.

I don't have Windows either.

You can start by looking in your distro's repositories for packages like AIDE or Tripwire. I suggest you take your time reading a HOWTO before installing it, though. Also, keep in mind that installing a HIDS after a system has been exposed won't ever provide you with the same levels of assurance that installing it right after a fresh system install would.

I don't use RPM, but according to this, that would mean you're good to go:

Hi,

Thank you again for your inputs. I take it as the files are clean then?

I found AIDE in the Yast2. I will do some reading to find out what I should do before installing.

Cheers