[clamav-users] ClamAV detects XMR-Stak as malicious. Is this a false positive?
Al Varnell
alvarnell at mac.com
Fri Nov 19 08:48:28 UTC 2021
I suspect that it's because there are several instances of malicious software that install xmr-stak unknowingly to the user who then become a miner bot for a cybercriminal.
If I were you I would just put it in a clamav.fp file so it will ignore your installation while still identifying any other instance that showed up.
Sent from my iPad
-Al-
ClamXAV User
> On Nov 18, 2021, at 23:23, happysmash27 via clamav-users <clamav-users at lists.clamav.net> wrote:
>
> I decided to scan my entire /usr/ folder recently, as I heard about a malicious package in NPM and wanted to be extra sure nothing got into my system. I was slightly shocked when it finished, and it said there was 1 infected file. Unfortunately it did not list exactly what that infected file was, so I ran it again this time logging to a file and grepped that file for "FOUND", and the result was:
>
> /usr/bin/xmr-stak: Multios.Coinminer.Miner-6781728-2 FOUND
>
> But... XMR-Stak is _supposed_ to be a crypto miner. That is what it does. I installed it for that purpose, compiling it from source since I am on Gentoo.
>
> So... is this a false positive then? Or is this saying something else, like, that my version of XMR-Stak has malicious code to mine on some bad actor's pool instead of the one I tell it to mine in?
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20211119/a41c3c1a/attachment.htm>
More information about the clamav-users
mailing list