LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-23-2009, 03:19 PM   #1
yaarappa
Member
 
Registered: Aug 2008
Location: Cumbria, UK
Distribution: OpenSuse 11
Posts: 148

Rep: Reputation: 16
Angry AVG Anti virus


I downloaded AVG anti virus for Suse Linux. It installed without any problems and did a scan of my hard disk and identified two virus'. But it did not clean or quarantine the files. THe files look legit to me What do I do?

Following are the files supposed to be infected:

/lib/modules/2.6.25.18-0.2-default/kernel/drivers/scsi/scsi_mod.ko
/lib/modules/2.6.25.18-0.2-default/kernel/drivers/scsi/scsi_transport_fc.ko


Please advice

Thank you!
 
Old 01-23-2009, 04:36 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,406
Blog Entries: 55

Rep: Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578
Quote:
Originally Posted by yaarappa View Post
identified two virus'. (..)
I doubt they're infected but it would be better though to provide details that actually help determine their state, like tell us what AVG version you're using, if you used current signatures, what the actual message was and the result of verifying these files with your package manager.
 
Old 01-23-2009, 08:15 PM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
I'm willing to bet you've got heuristic scanning enabled in AVG, and that disabling it would cause the infection warning to vanish (which would provide near certainty that this is a false positive). But regardless of whether that's the case or not, you should have your package manager verify the files (as suggested by unSpawn). BTW, if I was you I'd boot a live CD, mount the drive read-only, and then get a sha1sum of the two files in order to compare with the sha1sum of the ones in the original package, which I presume is this one (I'm not sure).

Last edited by win32sux; 01-23-2009 at 08:22 PM.
 
Old 01-24-2009, 05:07 PM   #4
yaarappa
Member
 
Registered: Aug 2008
Location: Cumbria, UK
Distribution: OpenSuse 11
Posts: 148

Original Poster
Rep: Reputation: 16
Angry Still the same message

Hi, Thank you guys for your messages.

I disabled the Heuristic analysis and scanned again but received the same error message. Which is "Virus found downloader.Obfuskated" against these two files.

I am fairly new to Linux. I do not know how to compare files. When I looked at the files from my hard drive and the link that you sent me, the only difference I see is the file size.

Scsi_transport_fc.ko on PC is 92.6KB on the link 56.9KB
Scsi_mod.ko on PC is 293.2KB on the link 191.1KB

Now this may be because the link you sent me is i586 and my PC is different, I assume it is x86_64. If there is a way I can confirm this please tell me?

Also how do I check the file on the installation DVD?

Pardon my ignorance!

Thank you in advance for your help with this matter
 
Old 01-24-2009, 05:20 PM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally Posted by yaarappa View Post
Hi, Thank you guys for your messages.

I disabled the Heuristic analysis and scanned again but received the same error message. Which is "Virus found downloader.Obfuskated" against these two files.

I am fairly new to Linux. I do not know how to compare files. When I looked at the files from my hard drive and the link that you sent me, the only difference I see is the file size.

Scsi_transport_fc.ko on PC is 92.6KB on the link 56.9KB
Scsi_mod.ko on PC is 293.2KB on the link 191.1KB

Now this may be because the link you sent me is i586 and my PC is different, I assume it is x86_64. If there is a way I can confirm this please tell me?
You can download the x86_64 equivalent here.

To use sha1sum to check whether two files are exactly the same you do a:
Code:
sha1sum example.txt
This example would give you the SHA1 checksum for the example.txt file.

BTW, everything I've seen after googling that virus name indicates this is a 100% Windows virus, which makes it even more likely this is a false positive. In any case, you're definitely not the only one seeing AVG display this behavior on Linux. I'm guessing there's something about the SCSI code which makes it look like that virus. But do the checksum to be sure, of course.

Last edited by win32sux; 01-24-2009 at 05:29 PM.
 
Old 01-25-2009, 04:46 PM   #6
yaarappa
Member
 
Registered: Aug 2008
Location: Cumbria, UK
Distribution: OpenSuse 11
Posts: 148

Original Poster
Rep: Reputation: 16
Hi,

Thank you for your insights. I am a bit more peaceful now. Seems like a windows virus.

How do I do the sha1sum test? Do I type this in the gnome terminal or elsewhere!

Also do you know of any virus scanners that would work on Suse 11?

Cheers,
 
Old 01-25-2009, 05:41 PM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally Posted by yaarappa View Post
Hi,

Thank you for your insights. I am a bit more peaceful now. Seems like a windows virus.

How do I do the sha1sum test? Do I type this in the gnome terminal or elsewhere!

Also do you know of any virus scanners that would work on Suse 11?

Cheers,
You should verify the integrity of those files before declaring peace!

Yes, you can use GNOME terminal (or any other terminal emulator).

The only antivirus I use is ClamAV (it works on any distro, and it's free (as in freedom), which is important to me). Unlike you, I don't use it to scan the system - I just scan files I download (or that people give me) before using them. For making sure my system's integrity hasn't been compromised I instead rely on a HIDS (Tripwire in my particular case).

Last edited by win32sux; 01-25-2009 at 06:12 PM.
 
Old 01-25-2009, 05:47 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,406
Blog Entries: 55

Rep: Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578Reputation: 3578
(BTW, you shouldn't have to use sha1sum, if the kernel installed (run 'rpm -q kernel') for example returns "kernel-default-2.6.25" you should be able to verify the package contents by running 'rpm -qVv kernel-default-2.6.25'.)
 
Old 01-26-2009, 05:25 PM   #9
yaarappa
Member
 
Registered: Aug 2008
Location: Cumbria, UK
Distribution: OpenSuse 11
Posts: 148

Original Poster
Rep: Reputation: 16
Question

Quote:
Originally Posted by win32sux View Post
You should verify the integrity of those files before declaring peace!

Yes, you can use GNOME terminal (or any other terminal emulator).

The only antivirus I use is ClamAV (it works on any distro, and it's free (as in freedom), which is important to me). Unlike you, I don't use it to scan the system - I just scan files I download (or that people give me) before using them. For making sure my system's integrity hasn't been compromised I instead rely on a HIDS (Tripwire in my particular case).
I used the Gnome terminal and this is the result - on my pc 5d2b4589a01282df406ae4971ddbdcf192d795db scsi_transport_fc.ko
ddcfb05f56380bfb76e30ba700cd0f2cafd8e67d scsi_mod.ko

I do not know how to test the kernel I downloaded using the link you provided so I copied only the two files I needed to compare to a temperory directory and did the sha1sum test and the result -
b770ba73bec92822e25ec0dd02ad2d8972a278fe scsi_mod.ko
3f40c7f3c7d6c58e3ac8083e425536df21b413d3 - scsi_transport_fc.ko

I do not know what to make of this. I also ran the AVG to check the temperory directory where I copied the two files and it came as infected.

One more change I noticed was the directory.
Previously it was -
/lib/modules/2.6.25.18-0.2-default/kernel/drivers/scsi/scsi_mod.ko
/lib/modules/2.6.25.18-0.2-default/kernel/drivers/scsi/scsi_transport_fc.ko

Now
/lib/modules/2.6.25.20-0.1-default/kernel/drivers/scsi/scsi_mod.ko
/lib/modules/2.6.25.20-0.1-default/kernel/drivers/scsi/scsi_transport_fc.ko

I have clamav - I checked the files with that and seems fine. But I was told to use it only to scan windows files. Since I dont have windows I never used it.

How do I obtain a HIDS tool?

Also as unSpawn said I ran both (run 'rpm -q kernel') and ('rpm -qVv kernel-default-2.6.25'.) it did not yield any results.

Sorry this is so long. Hope you can shed some light into this.

Cheers,
 
Old 01-26-2009, 07:07 PM   #10
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally Posted by yaarappa View Post
One more change I noticed was the directory.
Previously it was -
/lib/modules/2.6.25.18-0.2-default/kernel/drivers/scsi/scsi_mod.ko
/lib/modules/2.6.25.18-0.2-default/kernel/drivers/scsi/scsi_transport_fc.ko

Now
/lib/modules/2.6.25.20-0.1-default/kernel/drivers/scsi/scsi_mod.ko
/lib/modules/2.6.25.20-0.1-default/kernel/drivers/scsi/scsi_transport_fc.ko
Sounds like your kernel package was upgraded.

The directory containing the files I linked shows this new version of yours is indeed the current latest.

Quote:
I have clamav - I checked the files with that and seems fine. But I was told to use it only to scan windows files. Since I dont have windows I never used it.
I don't have Windows either.

Quote:
How do I obtain a HIDS tool?
You can start by looking in your distro's repositories for packages like AIDE or Tripwire. I suggest you take your time reading a HOWTO before installing it, though. Also, keep in mind that installing a HIDS after a system has been exposed won't ever provide you with the same levels of assurance that installing it right after a fresh system install would.

Quote:
Also as unSpawn said I ran both (run 'rpm -q kernel') and ('rpm -qVv kernel-default-2.6.25'.) it did not yield any results
I don't use RPM, but according to this, that would mean you're good to go:
Quote:
When verifying a package, RPM produces output only if there is a verification failure.

Last edited by win32sux; 01-26-2009 at 07:10 PM.
 
Old 01-27-2009, 12:40 PM   #11
yaarappa
Member
 
Registered: Aug 2008
Location: Cumbria, UK
Distribution: OpenSuse 11
Posts: 148

Original Poster
Rep: Reputation: 16
Hi,

Thank you again for your inputs. I take it as the files are clean then?

I found AIDE in the Yast2. I will do some reading to find out what I should do before installing.

Cheers
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
AVG Anti Virus for Linux linux4life88 Linux - Software 10 11-19-2007 09:12 PM
ok, I am confused about AVG Anti-Virus! asif2k General 10 01-08-2007 07:49 PM
using clamav, avg anti-virus Shadowalker Linux - Software 2 03-30-2006 12:01 AM
AVG anti-virus for Linux jspaceman Linux - Software 1 03-24-2005 12:45 PM
Boot virus or Anti-Virus? AVG Free Anti-Virus Software problems SparceMatrix Linux - Security 9 08-02-2004 02:35 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:29 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration