MvL Posted July 4, 2018 Share Posted July 4, 2018 Hi, I have found a virus on one of my servers (not a unRAID server). I scanned that server with ClamAV. Is there a package for unRAID? I just want to double check that unRAID is not infected or any container. [root@voyager /]# clamscan -ri --exclude-dir=/sys /etc/snort.d/rules/clearcenter/activex.rules: Win.Trojan.cve_2011_2657-1 FOUND /etc/snort.d/rules/clearcenter/current_events.rules: Sanesecurity.Malware.19493.Web.UNOFFICIAL FOUND /etc/snort.d/rules/clearcenter/deleted.rules: Html.Trojan.Blackhole-65 FOUND /var/clearos/configuration_backup/backup-voyager_domain_nl-07-02-2018-01-50-01.tgz: Win.Trojan.cve_2011_2657-1 FOUND /var/clearos/configuration_backup/backup-voyager_domain_nl-07-03-2018-01-50-01.tgz: Win.Trojan.cve_2011_2657-1 FOUND /var/clearos/configuration_backup/backup-voyager_domain_nl-07-04-2018-01-50-01.tgz: Win.Trojan.cve_2011_2657-1 FOUND /usr/lib64/gconsole/browser/omni.ja: Sanesecurity.Foxhole.Zip_Js_Js.UNOFFICIAL FOUND ----------- SCAN SUMMARY ----------- Known viruses: 6771035 Engine version: 0.99.3 Scanned directories: 15192 Scanned files: 50596 Infected files: 7 Data scanned: 2910.37 MB Data read: 2377.13 MB (ratio 1.22:1) Time: 682.111 sec (11 m 22 s) You have new mail in /var/spool/mail/root [root@voyager /]# Quote Link to comment
Squid Posted July 4, 2018 Share Posted July 4, 2018 Not that this is necessarily what happened to you, but a problem with AV scanners as a whole is that on signature detection, there is the possibility of false positives. http://cipherdyne.org/blog/2010/08/how-to-avoid-clamav-matches-on-bundled-snort-rules.html Quote Link to comment
MvL Posted July 5, 2018 Author Share Posted July 5, 2018 yes, true! I found out that the first three are false positives for sure. /etc/snort.d/rules/clearcenter/activex.rules: Win.Trojan.cve_2011_2657-1 FOUND /etc/snort.d/rules/clearcenter/current_events.rules: Sanesecurity.Malware.19493.Web.UNOFFICIAL FOUND /etc/snort.d/rules/clearcenter/deleted.rules: Html.Trojan.Blackhole-65 FOUND Quote Link to comment
primeval_god Posted July 5, 2018 Share Posted July 5, 2018 I have a ClamAV docker container that I use to scan my unRAID system. It is not currently available through Community Applications but you can find a cobbled together template here https://github.com/dcflachs/docker-containers/tree/templates/dcflachs . It requires a container for both ClamScan and FreshClam to run. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.