> > Chris, > > > > You are correct about a converted, but not yet remounted filesystem. I was > > basing my response on an assumption that the system had been originally > > created with EXT3 (not upgraded from EXT2), and/or that the system had been > > rebooted at least once since the journalling was installed. Your "converted > > but not yet remounted" scenario was one I hadnt considered. > > > May be the mount is not so correct, from an earlier ext2. But why > the virus was found? ist it a false positive. > > An online virus scan is not possible with this server.
Assuming the journal was properly created on an existing EXT2 filesystem and then the filesystems MOUNTED AS EXT3, then the contents of the journal should contain nothing but journaling data. Initially, there is always the potential for the journal to occupy disk sectors that previously contained an infected file, but those sectors would eventually have been overwritten with journal data. The sample "hits" provided earlier in this thread showed that the "file" contained different viruses, on different days. In either case, viruses are not likely to infect the journal, IF the journal is being properly used (by properly mounting the filesystem as EXT3), and unless the virus were specifically written to be Linux EXT3 journal-aware, should never even know about the existance of the journal. Likewise, clam should not even be EXT3 journal-aware. When in doubt: 1. unmount the filesystem 2. remount it as EXT2 3. blow away the existing journal (it should be visible as a file, when the fs is mounted as EXT2) 4. use "mke2fs -j /device" to recreate a new journal 5. do an "ls -al .journal" to confirm the new journal exists 6. remount the filesystem as type EXT3 7. repeat the "ls -al .journal" - you should NOT see the journal file! (clam shouldn't see it, either!) 8. confirm that your /etc/fstab file is correct _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
