Thanks for coming back to me, Al. I couldn't see anything useful in the changelog, but looking further at how RKH seems to work it looks like it would pick up HiddenWasp (as an example) because it preloads a shared library as part of it's infection process.
Thanks Rob On Thu, 21 Nov 2019 at 18:54, Al Varnell <alvarn...@mac.com> wrote: > > Take a look at the release dates in the Change Log to see how often > signatures are update: > > <https://sourceforge.net/p/rkhunter/rkh_code/ci/master/tree/files/CHANGELOG> > > -Al- > macOS User > > On Nov 21, 2019, at 07:47, rob pearman <rob.pear...@gmail.com> wrote: > > Hi! > > I'd be grateful if someone could answer a couple of questions ... > > 1. I'm aware that in principle it checks for changes to key files that > might indicate a replacement by a rootkit/virus, and I've already set > up my installation to check against my package manager's details (DPKG > in my case), however there are also rootkit-specific tests run by RKH > that are listed toward the end of the 'check' process. Notably absent > from this list are some recent nasties such as HiddenWasp - is this > because the signatures haven't been updated yet, or would it be > detected by more generic checks that mean it doesn't need specific > checks to be performed? > > 2. what is the process, and how often are the RKH signatures updated? > > Thanks for your help. > Rob _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users