Thanks Dave. On Tue, Aug 21, 2012 at 8:14 PM, David Raynor <[email protected]>wrote:
> On Tue, Aug 21, 2012 at 6:25 AM, teres vir <[email protected]> wrote: > > > Hi, > > > > For me, OSSEC is continuously triggering the following alert message when > > it is doing its daily rootkit checks : > > > > OSSEC HIDS Notification. > > 2012 Aug 19 04:33:47 > > > > Received From: (web-agent) 192.168.0.115->rootcheck > > Rule: 510 fired (level 7) -> "Host-based anomaly detection event > > (rootcheck)." > > Portion of the log(s): > > > > Anomaly detected in file '/tmp/clamav-e6d074726ae187561c8cdee65748cc53'. > > Hidden from stats, but showing up on readdir. Possible kernel level > > rootkit. > > > > > > --END OF NOTIFICATION > > > > The name of the tmp file changes in each alert. Is it a false positive? > > Hoping that it is, any idea whats causing this file to be hidden from > > stats? > > > > > > Thanks in advance, > > Teres > > _______________________________________________ > > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > > http://www.clamav.net/support/ml > > > > You should be able to confirm this with the ossec-list, but this is a > fairly common false positive for ossec. It is triggered by files which show > up in a call to readdir but not to a follow-up stat call. Any file that > gets deleted between the two calls can cause this warning. Temp files that > vanish quickly are the culprit here. > > What you are seeing are short-lived temp files that ClamAV is using while > unpacking certain file formats. They vanish because clamd will remove them > when it is no longer needed. The default location is /tmp, but you can add > or change the TemporaryDirectory setting in your clamd.conf file to point > to a different directory if you like. Then these files will appear in a > controlled location instead of the /tmp directory, which may make it > clearer that they are truly of no concern. > > Dave R. > > -- > --- > Dave Raynor > Sourcefire Vulnerability Research Team > [email protected] > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
