[clamav-users] ClamAV Scan results

Micah Snyder (micasnyd) micasnyd at cisco.com
Fri Jan 4 09:27:19 EST 2019


Yara rules are generally plain-text, meaning that if you scan a Yara rule file using that Yara rule, it may very well alert on itself. If you're going to use yara rules, you don't want to scan your database directory.  Doesn't mean it's necessarily a poorly written Yara rule, only that self-alerting is typical of Yara rules.

ClamAV's own signature formats (.ndb, .ldb, .hdb, etc) are written in hexadecimal instead, which avoids this problem (but is a lot more cumbersome to work with).  I'm not familiar with the "rfxn" signature databases you have, so I don't know what's in there or why their yara rule is also alerting on their ndb and hdb database files.  Either way, no - your server is not infected.

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Jan 4, 2019, at 9:00 AM, Tilman Schmidt <tschmidt at cardtech.de<mailto:tschmidt at cardtech.de>> wrote:

Do not run clamscan over your entire filesystem.
It's a bad idea.

In your case clamscan found something looking like a virus in its own
signatures, which is hardly surprising and certainly not a sign of an
infection.

Am 04.01.19 um 13:28 schrieb Kaushal Shriyan:

when i am running clamscan

#clamscan --infected --recursive /
/var/lib/clamav/rfxn.hdb:
YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/var/lib/clamav/rfxn.ndb:
YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/var/lib/clamav/rfxn.yara: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND

[root@ clamav]# pwd
/var/lib/clamav
[root@ clamav]# ls -ltrh
total 268M
-rw-r--r--. 1 clamupdate clamupdate 113M Dec 13 02:31 main.cvd
-rw-r--r--. 1 clamupdate clamupdate 990K Jan  2 18:00 bytecode.cld
-rw-r--r--. 1 root       root       441K Jan  4 03:52 rfxn.ndb
-rw-r--r--. 1 root       root       828K Jan  4 03:52 rfxn.hdb
-rw-r--r--. 1 root       root       400K Jan  4 03:52 rfxn.yara
-rw-r--r--. 1 clamupdate clamupdate 153M Jan  4 09:00 daily.cld
-rw-------. 1 clamupdate clamupdate  520 Jan  4 12:21 mirrors.dat
[root@ clamav]#

Is the CentOS Linux release 7.3.1611 (Core) server infected with
Malware? Please suggest. Thanks in Advance.

_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20190104/3de59426/attachment.html>


More information about the clamav-users mailing list