On 11/4/10 9:06 PM, "Al Varnell" <[email protected]> wrote:
>>> [18:22:47] Info: Starting test name 'running_procs' >>> [18:25:42] Checking running processes for suspicious files [ Warning ] >>> [18:25:43] Warning: The following processes are using suspicious files: >>> [18:25:44] Command: launchd >>> [18:25:45] UID: 0 PID: 1 >>> [18:25:46] Pathname: /private/etc/crontab >>> [18:25:47] Possible Rootkit: Unknown rootkit >>> >> I suspect this is a false-positive. RKH just happened to catch launchd >> using crontab. On my Linux box it is probably possible for RKH to catch >> 'crond' catching the same crontab file. If you re-run RKH the warning >> may well have disappeared. >> > I think this is the only thing I haven't been able to figure out. I don't > understand why launchd is connected with /private/etc/crontab at all. launchd > does launch cron at startup and obviously cron would be looking at this. > What's more, this file is totally blank...zero length with no resource fork. > cron is not normally used by OSX any more, although some third party software > I have tried out continues to do so. I have tried a couple of them, but all > have been uninstalled. I'll keep my eye on it. > So I've checked this several times since and it still shows up. Tonight I downloaded your latest candidate and there has been no change. The file /private/etc/crontab was placed there on the date/time the system was installed and has been modified a couple of times by some third party software that insists on using cron, but all have since been removed and was last opened at reboot, about twenty-four hours ago, apparently by launchd. Any more ideas? >>> [19:03:56] Checking for hidden files and directories [ >>> Warning ] >>> [19:03:57] Warning: Hidden file found: /etc/.DS_Store: JVT NAL >>> sequence >> While trusting searches on *file name only* are bad dot-file names >> do cause false positives often. This one by name seems to contain >> metadata information so if inspection confirms that it could be >> white-listed. >> > You are correct. There is potentially an invisible .DS_Store file in each > directory. It does contain metadata for Finder about how the directory is > displayed, etc. I'm just not sure why it's picking on this one and what "JVT > NAL" has to do with it. This is the only other open question I have. I've tried removing the file, but it regenerates itself as soon as I open the directory in a Finder window. Google tells me that JVT NAL has something to do with a video sequence??? I can certainly try whitelisting, but that currently include 3267 files on my hard drive. -Al- -- Al Varnell Mountain View, CA _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
