Hi there, On Fri, 22 Jan 2010 Jon Bendtsen wrote:
> I have some files that ClamAV suddenly started reporting as a > Trojan. The files are unchanged since about a year ago, but i scan > the files weekly regardless. This is not a terribly efficient (nor even effective) way of doing what I think you want to do, and my guess is that you don't really know if the files have been changed in the past year or not anyway. The operating system has a timestamp for each file. All you're seeing is the timestamp, which isn't even part of the file. Using the right tools, the file can be changed without changing the timestamp, and vice versa. Malicious software often manipulates file metadata in order to hide its activities, or to make eradication more difficult. Look into something like Tripwire for files that you do not expect to change, such as system binaries. Consider switching to Linux - assuming that you're using Windows. If you aren't using Windows, I don't think you need to worry very much about anything with 'Win32' in the name. :) > I have rescanned the files using virustotal.com, and i get other "positive > hits" from > Antiy-AVL 2.0.3.7 2010.01.20 > Trojan/Win32.Shutdowner.gen > > for all the files that ClamAV says are the trojan above. Make sure that different virus scanning engines give positive results on any given file. Then start to worry. Look into the activities of the virus as reported by the anti-virus software suppliers and see if you can match what you're seeing with what they say. > How do i KNOW FOR SURE, if it is a real positive or just a false > positive? If by writing it in capitals you mean 100% sure, then you can very rarely be as sure as that. But you can get pretty close. You need to plan ahead. For example when the system is in a state you know to be good, before you put it at risk, you can make a copy of all the files you might worry about and save them somewhere safe. That means you can compare the files later and if you have a damaged file you can replace it with the original. Or you can make a list of the md5sums of all the files in the system. The advantage is that it doesn't need so much storage space as keeping copies of the original files, but the disadvantage is that you can't recover the file from its md5sum. This is the sort of thing that Tripwire does. Keep the list safe, so that later on you can compare the md5sum of any file with the saved value. If the file has changed the md5sum will change too. You may then feel that it is suspect. Naturally some files can be expected to change, but many system files will not change until you update the system. Many will not change even then. If a file changes when it's not supposed to change then malicious software may be responsible but there are plenty of other possible reasons, for example once upon a time hardware manufacturers often shipped old copies of system utilities with their installation software although I don't know how common that is now. > how do i get ClamAV to stop reporting it? And not just my own > installation, but your installation as well. Read the man page and use the exclusion facilities. You don't need to worry about my installation. Nor do I. :) -- 73, Ged. _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
