On Tue, Aug 21, 2012 at 6:25 AM, teres vir <[email protected]> wrote:
> Hi, > > For me, OSSEC is continuously triggering the following alert message when > it is doing its daily rootkit checks : > > OSSEC HIDS Notification. > 2012 Aug 19 04:33:47 > > Received From: (web-agent) 192.168.0.115->rootcheck > Rule: 510 fired (level 7) -> "Host-based anomaly detection event > (rootcheck)." > Portion of the log(s): > > Anomaly detected in file '/tmp/clamav-e6d074726ae187561c8cdee65748cc53'. > Hidden from stats, but showing up on readdir. Possible kernel level > rootkit. > > > --END OF NOTIFICATION > > The name of the tmp file changes in each alert. Is it a false positive? > Hoping that it is, any idea whats causing this file to be hidden from > stats? > > > Thanks in advance, > Teres > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > You should be able to confirm this with the ossec-list, but this is a fairly common false positive for ossec. It is triggered by files which show up in a call to readdir but not to a follow-up stat call. Any file that gets deleted between the two calls can cause this warning. Temp files that vanish quickly are the culprit here. What you are seeing are short-lived temp files that ClamAV is using while unpacking certain file formats. They vanish because clamd will remove them when it is no longer needed. The default location is /tmp, but you can add or change the TemporaryDirectory setting in your clamd.conf file to point to a different directory if you like. Then these files will appear in a controlled location instead of the /tmp directory, which may make it clearer that they are truly of no concern. Dave R. -- --- Dave Raynor Sourcefire Vulnerability Research Team [email protected] _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
