Ask Your Question
2

ClamTK Scan Anomaly?

asked 2018-07-15 11:33:52 -0500

Speedy gravatar image

updated 2018-07-15 15:08:21 -0500

genodeftest gravatar image

Hi I recently scanned my file system with clamtk and after scanning I saw these 3 files and I can't do anything on it. Can't quarantine or delete these files and what's alarming is it says "Trojan" on the status. Please if someone could explain what this means and or if this is a virus how can I remove it manually from my system. Thanks

Please check the results from clamtk here:

File                                 Status                                    Action Taken
/usr/bin/chvt                    Unix.Trojan.Vali-6606621-0        None
/usr/bin/ulockmgr_server  Unix.Trojan.Vali-6606621-0        None
/usr/bin/rapper                 Unix.Trojan.Vali-6606621-0        None
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
4

answered 2018-07-15 15:21:08 -0500

genodeftest gravatar image

updated 2018-07-16 11:25:13 -0500

How do you find out whether it actually is a problem or not?

  1. Run $ dnf provides /usr/bin/chvt to find which package provides that file. In this case it should be

    • kbd-2.0.4-5.fc28.x86_64 for /usr/bin/chvt
    • fuse-2.9.7-11.fc28.x86_64 for /usr/bin/ulockmgr_server
    • raptor2-2.0.15-12.fc28.x86_64 for /usr/bin/rapper
  2. run $ rpm --verbose --verify [packagename]. If it succeeds (returns 0), the files have not been modified from the package. If every file is only preceeded by dots before the first space, it does succeed.

  3. Where is your package from? The commands from 1. should tell you that. If the package source is not "Fedora", it may be a virus.

  4. If the package is from the Fedora repositories, it looks like a false alarm.

If you are unsure, try uploading it to VirusTotal which will check it against many virus databases.

Having a look at other places on the net, it looks like there are more false alarms with this specific virus popping up in the last few days, e.g. on gentoo, manjaro and on slackware. This may happen because ClamAV uses hashes on files or file sections, and there may be collisions. In other words: The virus detection strategy used by ClamAV (and most commercial virus scanners) is error-prone.

edit flag offensive delete link more

Comments

Thanks for the info.I followed your instructions and the results are the same as what you've indicated here. maybe it's a false alarm though it's weird that I can't do anything to the file. By the way do you think this is a new virus? I also checked other sources and it seems there's no direct answer yet on this issue. Hope it's just a false alarm from ClamAV. Thanks again

Speedy gravatar imageSpeedy ( 2018-07-16 13:03:08 -0500 )edit

I don't think this is a virus at all, I guess it is a false alarm. It is quite unlikely that different packages on different distributions are affected at the same time by a real infection. Anyway, I'm not an expert on this.

If you're still unsure, try to contact the ClamAV developers: https://www.clamav.net/, go through their bugzilla reports or mailing lists.

If VirusTotal says it's not a virus, it quite certainly isn't. These packages have been updated months ago (around Feb 09 2018, probably during the last mass rebuild). A virus would have been detected by now

genodeftest gravatar imagegenodeftest ( 2018-07-16 16:44:00 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

2 followers

Stats

Asked: 2018-07-15 11:33:52 -0500

Seen: 167 times

Last updated: Jul 16 '18