MvL Posted July 4, 2018 Share Posted July 4, 2018 Hi, I have found a virus on one of my servers (not a unRAID server). I scanned that server with ClamAV. Is there a package for unRAID? I just want to double check that unRAID is not infected or any container. [root@voyager /]# clamscan -ri --exclude-dir=/sys /etc/snort.d/rules/clearcenter/activex.rules: Win.Trojan.cve_2011_2657-1 FOUND /etc/snort.d/rules/clearcenter/current_events.rules: Sanesecurity.Malware.19493.Web.UNOFFICIAL FOUND /etc/snort.d/rules/clearcenter/deleted.rules: Html.Trojan.Blackhole-65 FOUND /var/clearos/configuration_backup/backup-voyager_domain_nl-07-02-2018-01-50-01.tgz: Win.Trojan.cve_2011_2657-1 FOUND /var/clearos/configuration_backup/backup-voyager_domain_nl-07-03-2018-01-50-01.tgz: Win.Trojan.cve_2011_2657-1 FOUND /var/clearos/configuration_backup/backup-voyager_domain_nl-07-04-2018-01-50-01.tgz: Win.Trojan.cve_2011_2657-1 FOUND /usr/lib64/gconsole/browser/omni.ja: Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL FOUND ----------- SCAN SUMMARY ----------- Known viruses: 6771035 Engine version: 0.99.3 Scanned directories: 15192 Scanned files: 50596 Infected files: 7 Data scanned: 2910.37 MB Data read: 2377.13 MB (ratio 1.22:1) Time: 682.111 sec (11 m 22 s) You have new mail in /var/spool/mail/root [root@voyager /]# Link to comment
Squid Posted July 4, 2018 Share Posted July 4, 2018 Not that this is necessarily what happened to you, but a problem with AV scanners as a whole is that on signature detection, there is the possibility of false positives. http://cipherdyne.org/blog/2010/08/how-to-avoid-clamav-matches-on-bundled-snort-rules.html Link to comment
MvL Posted July 5, 2018 Author Share Posted July 5, 2018 yes, true! I found out that the first three are false positives for sure. /etc/snort.d/rules/clearcenter/activex.rules: Win.Trojan.cve_2011_2657-1 FOUND /etc/snort.d/rules/clearcenter/current_events.rules: Sanesecurity.Malware.19493.Web.UNOFFICIAL FOUND /etc/snort.d/rules/clearcenter/deleted.rules: Html.Trojan.Blackhole-65 FOUND Link to comment
primeval_god Posted July 5, 2018 Share Posted July 5, 2018 I have a ClamAV docker container that I use to scan my unRAID system. It is not currently available through Community Applications but you can find a cobbled together template here https://github.com/dcflachs/docker-containers/tree/templates/dcflachs . It requires a container for both ClamScan and FreshClam to run. Link to comment
Recommended Posts
Archived
This topic is now archived and is closed to further replies.