clamav scan found 3 infected files, curious what they are

diablo1 · January 3, 2012, 11:47am

I installed clamav from yast just to see if it would pick anything up, broken, infected on opensuse 12.1?
I followed the article “http://wiki.clamav.net/bin/view/Main/SuSEInstall”

Here are my results :

linux-fjj3:/ # /bin/su
linux-fjj3:/ # freshclam
ClamAV update process started at Tue Jan  3 05:14:31 2012
main.cvd is up to date (version: 54, sigs: 1044387, f-level: 60, builder: sven)
daily.cvd is up to date (version: 14229, sigs: 59412, f-level: 63, builder: arnaud)
bytecode.cvd is up to date (version: 159, sigs: 38, f-level: 63, builder: edwin)
linux-fjj3:/ # clamscan -i -r --detect-broken 
/home/suse1/Desktop/Opensuse 12.1 KDE4/DualBoots/grub4dos-0.4.3/bootlace.com: Heuristics.Broken.Executable FOUND

The line "/home/suse1/Desktop/Opensuse 12.1 KDE4/DualBoots/grub4dos-0.4.3/bootlace.com: Heuristics.Broken.Executable FOUND’
showed for awhile then disappeared resulting in all the LibclamAV warning text below

this LibClamAV warning part i condensed, it went on and on…

[CODELibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4077 bytes @ offset 19, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4094 bytes @ offset 2, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4072 bytes @ offset 24, got 0
LibClamAV Warning: fmap_readpage: pread fail: asked for 4091 bytes @ offset 5, got 0
WARNING: Can’t open file /sys/module/drm_kms_helper/uevent: Permission denied]



[CODE----------- SCAN SUMMARY -----------
Known viruses: 1102570
Engine version: 0.97.3
Scanned directories: 25673
Scanned files: 145473
Infected files: 3
Total errors: 694
Data scanned: 6684.73 MB
Data read: 7470.37 MB (ratio 0.89:1)
Time: 283.426 sec (4 m 43 s)]

thanks

hcvv · January 3, 2012, 2:04pm

You should search for other threads about people who thought that clamav is something to let loose on LInux files. Else a lot of us have to tell again that you should not do this nonsense.

Only use it when your system regularly receives and send files from and to windows system (like when you run a mail-server). You can only protect Windows systems with clamav and friends, because they only know about Windows viruses.

Best advice: de-install it and stop worrying.

diablo1 · January 3, 2012, 2:15pm

I am going to remove clamAV. will the removal of clamav from yast also remove the antivirus update i did as well? I was just curious since i do have thunderbird and receive emails from windows users and also network thru samba with my other windows systems…Also use linuxreader.exe… The windows systems do have antivirus and firewall software

thanks

eng-int · January 3, 2012, 2:59pm

As well as detecting MS Windows viruses, clamav also flags phishing e-mail. I use it, together with spam defences, on my local mail server.

Some mail clients (e.g. KMail) can use an installed clamav to filter incoming messages. This can be useful as part of your spam filter settings, and in helping avoid inadvertently relaying malware to others who may be susceptible.
as a starting
The virus table update is called freshclam and is part of the clamav package. clamav-db is only used as a starting point in the case of freshclam not being started.

It is just pointless using an A-V to scan non-MS filesystems.

hcvv · January 3, 2012, 3:00pm

When the RPM is build correct, de-installing it will remove all files that are part of the package. I guess (but am of course note sure) that the updates go into files that allready have virus descriptions and that came with the package. Thus when these files are removed by the de-install, the changes to these files will go with tem. But that is the theory. OTOH one or two of those files left behind will not fill up your disk and when you do a reinstall of a next openSUSE level in a year or so, you will start with a fresh clean situation anyhow.

And yes, I guess it is a good idea to let those Windows systems protect themselves against the Windows targeting viruses.

And remember, you may receive e-mails with Windows viruses (and other malware), but they will not do anything bad to your Linux system. Particularly of you do not open HTML mails as such automaticaly, but only if you trust the sender. And even then, things would not be executable in your Linux system (ever tried to run a Windoiws exeuitable on your Linux?). And even then it will at the most ruin your personal data and not the system (as long as you do not read your mail as root of course).