[clamav-users] How to determine false-v-real FOUND

[G.W. Haywood]

Hi there,

On Thu, 9 Feb 2017, Brad Scalio wrote:

> Clamscan found a PE "visor.exe.svn-base" ... Win.Trojan.Agent-793284 FOUND.
> ...
> 11 of 56 scanners detect a signature, however the file in question is on a
> linux system, and hasn't been touched since 2010, and so I am not too
> worried as ...

It would have helped to know what you think this file is, and where.

On points of order, firstly, how do you know that the file hasn't been
touched since 2010?  If you just looked at the output of 'ls' that
doesn't tell you as much as you might think it does.  If I were going
to compromise a Linux box, I'd take great care to hide what I'd done.
Amongst other things I'd save the 'last access', 'last modification'
and other information about any files that I intended to modify, and
afterwards change the timestamps back to what they were before I did
my dirty work on them.  However there are tools like 'Tripwire' which
will actually read all the files on the machine and store a protected
database of information about them, so that you can say for sure if a
file has or has not been tampered with.  Secondly, do you know what
the file is doing there?  If it's something that a 'customer' (however
you define 'customer') has put there, is this customer either abusing
your services or perhaps even at risk from them?  Don't be complacent.
On the other hand, be rational.  I haven't seen a compromised Linux
box since the 20th century, although I might need to get out more.

> it's a homogeneous local LAN of all linux systems, it's just the
> first time we've ran a clamscan on this box.

If you think there's any risk, there are many more useful things you
might do on Linux boxes than installing ClamAV, such as installing a
few tools (if they aren't there already), like 'iptables', 'tcpdump',
'ntop', and 'p0f'.  And 'Tripwire' of course, and maybe 'rkhunter'.
Take a keen interest in your network traffic.  Monitor it for changes
in patterns, unusual traffic, traffic from unusual locations, etc.
Take a keen interest in firewall configurations.  Review them often.
Keep logs.  Look at them.  I spend probably ten percent of my working
day looking at traffic logs.  Some box in Romania tried to get into
one of my networks 195 times today until I tarpitted it:

iptables -A dynamic_tarpit -j TARPIT -p tcp -s 89.46.82.78 # extremely persistent blood sucker

> Is there a way, or an online tutorial, or some other information to
> decompose the signature and the file easily to determine if it's a false
> positive or not?  I realize this is a complete science ...

It depends very much (*) on what the file is and where it is, but I'm
guessing that unless you're storing data for Windows users there's not
much chance that it's anything other than false positive.  Rather than
being left where it is, I guess that the file could probably have been
moved to a 'quarantine' location, with little or no adverse impact,
until you've investigated.  But see (*) above once again.

> but I am looking for a way for our tier 0 folks to quickly discern
> if they need to wake up the whole enterprise at 3am in the future.

They likely don't need to do that unless there's been an earthquake.

You need to train the people who will be monitoring your systems how to
react to what they find.  They certainly don't need to do call 911 for
anything that ClamAV finds on a Linux box.  If you exercise reasonable
care, you can probably forget about scanning Linux systems with ClamAV
unless you're using the systems to store data from Windows boxes, and
in that case you'll need a lot more than just ClamAV.  In my experience
ClamAV is only marginally useful for scanning Windows files and useless
for scanning Linux boxes.

-- 

73,
Ged.