Re: [Clamav-users] Don't know what to do with infected files
On Tue, 2007-03-13 at 00:09 +0100, Pascal Duchatelle wrote: Thomas Sprinkmeier a écrit : Is deleting it enough? My advice is to nuke infected systems. Even benign programs rarely uninstall cleanly; malware is nasty and designed not to go quietly. To nuke you mean just reformatting the space and to a re-install ? Yes. Remember to install all patches, virus checkers, signature updates etc. etc. from behind a nice, safe firewall (see https://isc2.sans.org/survivaltime.html and http://www.sans.org/rr/papers/index.php?id=1298) Your system is dual-boot? Re-installing windows will nuke your bootloader (probably grub or lilo). You'll have to reinstall it afterwards. Of course, to reinstall it you gotta boot linux first (chicken and egg :-) Make a linux boot disk and/or have a live CD (http://www.knoppix.org/) handy before you start. I naively did this unzipping already when I wanted to upgrade the YEPP studio... The sum of the folders + files sizes looks about the same as the size of the zip archive. Could it be a false positive ? sounds like it. Consider submitting the file to clamav, they're likely to be interested. Thank you again Pascal glad to help. Thomas ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Don't know what to do with infected files
sorry to bother you but I am new to ClamAV (on fedora core 6). I ran clamscan on my laptop and got a message telling me that I have 3 files infected. You might have some malware, but I doubt your system is infected. One is in my mail . I browed the FAQ and find a way supposed (by using ... Yes, everyone gets junk in their e-mail. Your system might not even be vulnerable to it, and it doesn't mean that the stuff has actually infected your system. But finding the specific message is a bit hard with ClamAV The second file infected is in my windows partition under the root directory (I got this result :media/hda2/pagefile.sys: Exploit.HTML.MHTRedir-8 FOUND). hda2 is my windows partition. Thisfile is 1.3G large (from what nautilus sees/says). Again is simply deleting enough ? I s it usually a windows file ? This is the Windows swap file. So you probably visited a site with an exploit, and some of your RAM holding that, happened to get swapped to disk. Or it could be a false-positive. Your Windows swap file is just temp storage while Windows is running, so anything in it junk. There is no need to disinfect it, as Windows will re-init it when it boots aqain. The third one is more confusing to me since it is a zipped file that I donwloaded from the US Samsung site when I tried to upgrade my Yepp 920 studio and firmware (mp3 player interface). The scan tells me that it is an oversized archive. Is there a way for clamAV to be sure of that (I The ZIP file may be corrupted. The exact ClamAV message would be helpful, but ClamAV has protection against ZIP bombs, which contain files with unrealistic compression ratios. ZIP bombs can take a really long time to scan, as the AV engine will decompress the file(s), which can decompress to 100x the original size (or more). So scanning a 50MB ZIP bomb, could involve scanning 5GB of data. There are settings in Clam to configure the unrealistic compression ratio setting. Tom ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] Don't know what to do with infected files
Hi there, sorry to bother you but I am new to ClamAV (on fedora core 6). I ran clamscan on my laptop and got a message telling me that I have 3 files infected. One is in my mail . I browed the FAQ and find a way supposed (by using the --debug option) to tell the number of the infected message so that I could get rid of it. First : I ran the clamscan --debug -l fich -r / command in a console. Where should I find the line telling me which of my messages is infected ? In the console or ine the fich file given in the command ? But maybe it does not work with thunderbird. If it is in the console, then I have another problem because during the debug process there are a bunch of info scroling down the screeen at incredible speed, and after a moment I don't know why but the characters go wild (except numbers) so that I cannot read anything on the screen. Of course I could delete the entire content of the mail box (by the way would it be enough action taken ? because nowhere in the manual it is said how to handle infected files (although in the FAQ it is hinted that desinfecting such files would be mainly a waste of energy...) ). This would waste me a lot of valuable messages that I keep, but more I would not know where the infected message comes from (for future precaution). The second file infected is in my windows partition under the root directory (I got this result :media/hda2/pagefile.sys: Exploit.HTML.MHTRedir-8 FOUND). hda2 is my windows partition. This file is 1.3G large (from what nautilus sees/says). Again is simply deleting enough ? I s it usually a windows file ? The third one is more confusing to me since it is a zipped file that I donwloaded from the US Samsung site when I tried to upgrade my Yepp 920 studio and firmware (mp3 player interface). The scan tells me that it is an oversized archive. Is there a way for clamAV to be sure of that (I mean in a MD5 sum sort of way) ? Because it is only 50Mo. Thank you for your responses and advices. -- Laboratoire de Pharmacologie - Physiologie CERMN UFR des Sciences Pharmaceutiques Université de Caen Basse Normandie 5 rue Vaubénard 14032 Caen cedex Tél/fax (33) 02 31 94 72 55 ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Don't know what to do with infected files
On Mon, 2007-03-12 at 11:31 +0100, Pascal Duchatelle wrote: Hi there, sorry to bother you but I am new to ClamAV (on fedora core 6). I ran clamscan on my laptop and got a message telling me that I have 3 files infected. One is in my mail . I browed the FAQ and find a way supposed (by using the --debug option) to tell the number of the infected message so that I could get rid of it. First : I ran the clamscan --debug -l fich -r / command in a console. Where should I find the line telling me which of my messages is infected ? In the console or ine the fich file given in the command ? But maybe it does not work with thunderbird. If it is in the console, then I have another problem because during the debug process there are a bunch of info scroling down the screeen at incredible speed, and after a moment I don't know why but the characters go wild (except numbers) so that I cannot read anything on the screen. Of course I could delete the entire content of the mail box (by the way would it be enough action taken ? because nowhere in the manual it is said how to handle infected files (although in the FAQ it is hinted that desinfecting such files would be mainly a waste of energy...) ). This would waste me a lot of valuable messages that I keep, but more I would not know where the infected message comes from (for future precaution). You could split it into separate messages using formail, scan the individual messages and then recombine the uninfected ones. Alternatively you could use a MUA to split your mail into 2 folders, scan them, split the infected one. ye olde binary search :-) The second file infected is in my windows partition under the root directory (I got this result :media/hda2/pagefile.sys: Exploit.HTML.MHTRedir-8 FOUND). hda2 is my windows partition. This file is 1.3G large (from what nautilus sees/says). Again is simply deleting enough ? I s it usually a windows file ? pagfile.sys is your swap file. If your virus was ever swapped out, it'd make sense to find it there. You should be able to delete it, windows will recreate it. You need to turn off swap first, (probably) reboot, delete the file, turn swap back on and reboot again. Is deleting it enough? My advice is to nuke infected systems. Even benign programs rarely uninstall cleanly; malware is nasty and designed not to go quietly. The third one is more confusing to me since it is a zipped file that I donwloaded from the US Samsung site when I tried to upgrade my Yepp 920 studio and firmware (mp3 player interface). The scan tells me that it is an oversized archive. Is there a way for clamAV to be sure of that (I mean in a MD5 sum sort of way) ? Because it is only 50Mo. oversized archives are also known as compression bombs. You take a file with a few gazzilion NULL's (easy to do on a filesystem with sparse file support) and compress it. The victim tries to unzip it to check for viruses and nukes their free disk space. I don't know which exactly how clamAV check for these, but sometimes inncent files are tagged (files that really do have fantastic compression ratios). Unzip the file (preferably to a safe partition) and scan the resultant files. Thank you for your responses and advices. Thomas ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] Don't know what to do with infected files
Thomas Sprinkmeier a écrit : Is deleting it enough? My advice is to nuke infected systems. Even benign programs rarely uninstall cleanly; malware is nasty and designed not to go quietly. To nuke you mean just reformatting the space and to a re-install ? oversized archives are also known as compression bombs. You take a file with a few gazzilion NULL's (easy to do on a filesystem with sparse file support) and compress it. The victim tries to unzip it to check for viruses and nukes their free disk space. I don't know which exactly how clamAV check for these, but sometimes inncent files are tagged (files that really do have fantastic compression ratios). Unzip the file (preferably to a safe partition) and scan the resultant files. I naively did this unzipping already when I wanted to upgrade the YEPP studio... The sum of the folders + files sizes looks about the same as the size of the zip archive. Could it be a false positive ? Thank you again Pascal ___ Yahoo! Mail réinvente le mail ! Découvrez le nouveau Yahoo! Mail et son interface révolutionnaire. http://fr.mail.yahoo.com ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://lurker.clamav.net/list/clamav-users.html
