Yara rules are generally plain-text, meaning that if you scan a Yara rule file using that Yara rule, it may very well alert on itself. If you're going to use yara rules, you don't want to scan your database directory. Doesn't mean it's necessarily a poorly written Yara rule, only that self-alerting is typical of Yara rules.
ClamAV's own signature formats (.ndb, .ldb, .hdb, etc) are written in hexadecimal instead, which avoids this problem (but is a lot more cumbersome to work with). I'm not familiar with the "rfxn" signature databases you have, so I don't know what's in there or why their yara rule is also alerting on their ndb and hdb database files. Either way, no - your server is not infected. Micah Snyder ClamAV Development Talos Cisco Systems, Inc. On Jan 4, 2019, at 9:00 AM, Tilman Schmidt <[email protected]<mailto:[email protected]>> wrote: Do not run clamscan over your entire filesystem. It's a bad idea. In your case clamscan found something looking like a virus in its own signatures, which is hardly surprising and certainly not a sign of an infection. Am 04.01.19 um 13:28 schrieb Kaushal Shriyan: when i am running clamscan #clamscan --infected --recursive / /var/lib/clamav/rfxn.hdb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /var/lib/clamav/rfxn.ndb: YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND /var/lib/clamav/rfxn.yara: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND [root@ clamav]# pwd /var/lib/clamav [root@ clamav]# ls -ltrh total 268M -rw-r--r--. 1 clamupdate clamupdate 113M Dec 13 02:31 main.cvd -rw-r--r--. 1 clamupdate clamupdate 990K Jan 2 18:00 bytecode.cld -rw-r--r--. 1 root root 441K Jan 4 03:52 rfxn.ndb -rw-r--r--. 1 root root 828K Jan 4 03:52 rfxn.hdb -rw-r--r--. 1 root root 400K Jan 4 03:52 rfxn.yara -rw-r--r--. 1 clamupdate clamupdate 153M Jan 4 09:00 daily.cld -rw-------. 1 clamupdate clamupdate 520 Jan 4 12:21 mirrors.dat [root@ clamav]# Is the CentOS Linux release 7.3.1611 (Core) server infected with Malware? Please suggest. Thanks in Advance. _______________________________________________ clamav-users mailing list [email protected]<mailto:[email protected]> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
_______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
