Yara rules are generally plain-text, meaning that if you scan a Yara rule file 
using that Yara rule, it may very well alert on itself. If you're going to use 
yara rules, you don't want to scan your database directory.  Doesn't mean it's 
necessarily a poorly written Yara rule, only that self-alerting is typical of 
Yara rules.

ClamAV's own signature formats (.ndb, .ldb, .hdb, etc) are written in 
hexadecimal instead, which avoids this problem (but is a lot more cumbersome to 
work with).  I'm not familiar with the "rfxn" signature databases you have, so 
I don't know what's in there or why their yara rule is also alerting on their 
ndb and hdb database files.  Either way, no - your server is not infected.

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.


On Jan 4, 2019, at 9:00 AM, Tilman Schmidt 
<tschm...@cardtech.de<mailto:tschm...@cardtech.de>> wrote:

Do not run clamscan over your entire filesystem.
It's a bad idea.

In your case clamscan found something looking like a virus in its own
signatures, which is hardly surprising and certainly not a sign of an
infection.

Am 04.01.19 um 13:28 schrieb Kaushal Shriyan:

when i am running clamscan

#clamscan --infected --recursive /
/var/lib/clamav/rfxn.hdb:
YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/var/lib/clamav/rfxn.ndb:
YARA.Safe0ver_Shell__Safe_Mod_Bypass_By_Evilc0der_php.UNOFFICIAL FOUND
/var/lib/clamav/rfxn.yara: {HEX}php.gzbase64.inject.452.UNOFFICIAL FOUND

[root@ clamav]# pwd
/var/lib/clamav
[root@ clamav]# ls -ltrh
total 268M
-rw-r--r--. 1 clamupdate clamupdate 113M Dec 13 02:31 main.cvd
-rw-r--r--. 1 clamupdate clamupdate 990K Jan  2 18:00 bytecode.cld
-rw-r--r--. 1 root       root       441K Jan  4 03:52 rfxn.ndb
-rw-r--r--. 1 root       root       828K Jan  4 03:52 rfxn.hdb
-rw-r--r--. 1 root       root       400K Jan  4 03:52 rfxn.yara
-rw-r--r--. 1 clamupdate clamupdate 153M Jan  4 09:00 daily.cld
-rw-------. 1 clamupdate clamupdate  520 Jan  4 12:21 mirrors.dat
[root@ clamav]#

Is the CentOS Linux release 7.3.1611 (Core) server infected with
Malware? Please suggest. Thanks in Advance.

_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net<mailto:clamav-users@lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to