Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

maldetect + ClamAV false Positive #87

Closed
codesport opened this issue Oct 18, 2015 · 5 comments
Closed

maldetect + ClamAV false Positive #87

codesport opened this issue Oct 18, 2015 · 5 comments

Comments

@codesport
Copy link

  1. False positive being picked up from within the maldetect install files:
    /usr/local/maldetect/clean/gzbase64.inject.unclassed
    and
    /home/my_username/maldetect-1.5/files/clean/gzbase64.inject.unclassed
  2. Folder and file contents may be viewed here: https://github.com/waja/maldetect/tree/master/files/clean
  3. Seems this has been an ongoing issue, however. Just search on the phrase gzbase64.inject.unclassed, for reports of this happening in version 1.4.2:
    http://forum2.aimoo.com/computerhelp/category/Injection-Attack-on-Linux-System-1-1020626.html
    and
    http://xmodulo.com/how-to-detect-malware-on-linux.html
@IhariR
Copy link

IhariR commented Nov 27, 2015

We are getting the same alerts from ClamAV after having installed MalDectect 1.5:

/usr/local/maldetect/clean/gzbase64.inject.unclassed: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
/usr/local/src/maldetect-current.tar.gz: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
/usr/local/src/maldetect-1.5/files/clean/gzbase64.inject.unclassed: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
/usr/local/maldetect.bk5818/clean/gzbase64.inject.unclassed: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND

Codes found here at github.com/rfxn/linux-malware-detect/ and on github.com/waja/maldetect are both unsettling (and identical):

https://github.com/rfxn/linux-malware-detect/blob/master/files/clean/gzbase64.inject.unclassed
https://github.com/waja/maldetect/blob/master/files/clean/gzbase64.inject.unclassed

Why these two repositories and how can we be sure that these are only false positives ?

@Yzord
Copy link

Yzord commented Jan 14, 2016

I have the same issue:

/usr/local/maldetect/clean/gzbase64.inject.unclassed: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
/usr/local/maldetect.bk6816/clean/gzbase64.inject.unclassed: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
/usr/local/maldetect.bk6487/clean/gzbase64.inject.unclassed: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
/usr/local/maldetect.bk6179/clean/gzbase64.inject.unclassed: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
/usr/local/src/maldetect-1.5/files/clean/gzbase64.inject.unclassed: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
/usr/local/src/maldetect-current.tar.gz: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND

@tony-caffe
Copy link

I have received the same issue on LMD 1.5 and ClamAV .99 (Yum EPEL Repo Install):

cat /var/log/clamav/daily-clamscan.log
/usr/local/maldetect/clean/gzbase64.inject.unclassed: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND

I have even excluded the directory in ClamAV Config and the daily ClamAV scan still reports it:

cat /etc/clamd.conf | grep Exclude
ExcludePath /usr/local/maldetect/

Is this bug report even being followed by LMD? This has been going on for a while now.

Thanks,
Anthony

@rfxn
Copy link
Owner

rfxn commented May 11, 2016

Folks,
Like most malware tools, you should not scan itself with the package as there are signatures and patterns within the toolset for detecting malware that itself also is detect as malware. These are false positives but relative to the fact that LMD is a userspace malware scanner and should not be scanning system paths.

@rfxn rfxn closed this as completed May 11, 2016
@AntlanticBeaver
Copy link

Not a good idea to let a scanner do own files when doing scan. Do dis:
Clamav:
clamscan -r -i / --exclude-dir="^/sys" --exclude /usr/share/doc/clamav/test

Result gonna give you only intruders in Linux (Nevertheless a scan is more than just running for "intruders". It gives nature of system files to learn about'em)
A result as example:
maldetect/sigs.old/rfxn.ndb: SecuriteInfo.com.JS.Exploit-16.UNOFFICIAL FOUND
maldetect/sigs.old/hex.dat: SecuriteInfo.com.JS.Exploit-16.UNOFFICIAL FOUND
maldetect/sigs/rfxn.ndb: SecuriteInfo.com.JS.Exploit-16.UNOFFICIAL FOUND
maldetect/sigs/hex.dat: SecuriteInfo.com.JS.Exploit-16.UNOFFICIAL FOUND
maldetect/clean/gzbase64.inject.unclassed: {HEX}gzbase64.inject.unclassed.15.UNOFFICIAL FOUND
nmap/scripts/http-vuln-cve2012-1823.nse: {HEX}php.exe.globals.403.UNOFFICIAL FOUND
perl5/vendor_perl/5.12.3/File/Scan.pm: SecuriteInfo.com.JS.Obfus-679.UNOFFICIAL FOUND
clamav/rfxn.ndb: SecuriteInfo.com.JS.Exploit-16.UNOFFICIAL FOUND
These files which are for scanning are themselves regarded as a suspicious object. Something like when clamav "detects" clamav.doc is "suspicious" in its own clamav folder. That why it's called a Test. To test that clamav just works fine.
Exclude dir sys and clamav/test when scanning. Dir sys is a tmp thing where the kernel info is loaded in the tmp and thus is NOT identical with orig kernel. Still they are the same. Not their size.
Maldetect sigs work just for Maldetect that in turn uses Clamav db but clamav doesn't recognize it as its files which in turn only work in Maldetect.
Look up-as example-nmap/scripts/http-vuln-cve2012-1823.nse and the nmap.org informs that this file is for detection of PHP-CGI installations that are vulnerable to CVE-2012-1823 that would allow attackers to retrieve source code and execute code remotely thus this file is a protector in the Linux.
That's all folks :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@rfxn @tony-caffe @IhariR @Yzord @codesport @AntlanticBeaver