[clamav-users] ClamAV Scan results

Joel Esler (jesler) jesler at cisco.com
Fri Jan 4 07:47:46 EST 2019


Likely not.  I would bet that there are some poorly written yara sigs in your environment.  

Sent from my  iPhone

> On Jan 4, 2019, at 07:28, Kaushal Shriyan <kaushalshriyan at gmail.com> wrote:
> 
> Hi,
> 
> I have the below details 
> 
> [root@ clamav]# clamscan --version
> ClamAV 0.100.2/25267/Fri Jan  4 06:17:25 2019
> [root@ clamav]# rpm -qa | grep clamav
> clamav-filesystem-0.100.2-2.el7.noarch
> clamav-update-0.100.2-2.el7.x86_64
> clamav-0.100.2-2.el7.x86_64
> clamav-lib-0.100.2-2.el7.x86_64
> [root@ clamav]# cat /etc/redhat-release
> CentOS Linux release 7.3.1611 (Core)
> [root@ clamav]# freshclam
> ClamAV update process started at Fri Jan  4 12:25:08 2019
> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
> daily.cld is up to date (version: 25267, sigs: 2197794, f-level: 63, builder: raynman)
> bytecode.cld is up to date (version: 328, sigs: 94, f-level: 63, builder: neo)
> [root@ clamav]#
> 
> when i am running clamscan 
> 
> #clamscan --infected --recursive /
> /var/lib/clamav/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
> /var/lib/clamav/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
> /var/lib/clamav/rfxn.yara: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND
> 
> [root@ clamav]# pwd
> /var/lib/clamav
> [root@ clamav]# ls -ltrh
> total 268M
> -rw-r--r--. 1 clamupdate clamupdate 113M Dec 13 02:31 main.cvd
> -rw-r--r--. 1 clamupdate clamupdate 990K Jan  2 18:00 bytecode.cld
> -rw-r--r--. 1 root       root       441K Jan  4 03:52 rfxn.ndb
> -rw-r--r--. 1 root       root       828K Jan  4 03:52 rfxn.hdb
> -rw-r--r--. 1 root       root       400K Jan  4 03:52 rfxn.yara
> -rw-r--r--. 1 clamupdate clamupdate 153M Jan  4 09:00 daily.cld
> -rw-------. 1 clamupdate clamupdate  520 Jan  4 12:21 mirrors.dat
> [root@ clamav]#
> 
> Is the CentOS Linux release 7.3.1611 (Core) server infected with Malware? Please suggest. Thanks in Advance.
> 
> Best Regards,
> 
> Kaushal
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190104/53c6b8b8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3010 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190104/53c6b8b8/attachment.bin>


More information about the clamav-users mailing list