possable unwanted files

My clamav is pointing to these particular files. Is there any reason for me to be concerned.
Can someone give me a clue.

Thanks

/doc/packages/libgphoto2/libgphoto2-api.html/jquery.js PUA.HTML.Exploit.CVE_2014_0322
/usr/lib64/efi/shim-opensuse.efi PUA.Win32.Packer.PrivateExeProte-7
/usr/lib64/efi/MokManager.efi PUA.Win32.Packer.PrivateExeProte-7
/usr/lib64/efi/shim.efi PUA.Win32.Packer.PrivateExeProte-7
/usr/lib64/wine/fakedlls/clock.exe PUA.Win32.Packer.PrivateExeProte-7
/usr/lib64/wine/fakedlls/user32.dll PUA.Win32.Packer.PrivateExeProte-7
/usr/lib64/wine/fakedlls/comctl32.dll PUA.Win32.Packer.PrivateExeProte-7
/usr/lib/wine/fakedlls/clock.exe PUA.Win32.Packer.PrivateExeProte-7
/usr/lib/wine/fakedlls/user32.dll PUA.Win32.Packer.PrivateExeProte-7
/usr/lib/wine/fakedlls/comctl32.dll PUA.Win32.Packer.PrivateExeProte-7

It’s a problem with the ClamAV signatures - they are giving false positives for files. FakeDLL’s are required for Wine to work and the jquery is a false positive.

Some OS X users ran into similar issues just a few weeks ago.

IMO clamav should be used only scan files that may go to a windows machine. It should not be used as a general AV for Linux. Really it is not needed and is pron to false alerts.

The shim files are used to boot into EFI secure boot BIOS

.

About every other blue moon I will scan my entire system. That is when i get my usual false positives, some of these files were listed the last time as well. I just had to be curious about them.

On 2014-07-16 00:06, mike7757 wrote:

> .About every other blue moon I will scan my entire system. That is when i
> get my usual false positives, some of these files were listed the last
> time as well. I just had to be curious about them.

Just try a different antivirus and see if they complain on the same files.


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

I also have Avast on my machine. I never rely on a single source. I am also in the curious mind about knowing for certain that my machine would not have a rootkit within itself. I don’t suspect that it does, but I wouldn’t mind knowing for sure. How does one know without a doubt.

On 2014-07-15 21:56, gogalthorp wrote:
>
> IMO clamav should be used only scan files that may go to a windows
> machine.

Or Wine. If it is not very clear how immune or not it is.

Also the EFI bootloader could become a target, because no matter what
operating system they end loading, they have to use, I understand, only
the UEFI API and files in that boot partition.

Thus probably a virus targeting Windows EFI loader could target as well
a Linux EFI loader. What they could do when the operating system
actually loads, I have no idea. I haven’t enough info.


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

Wine is NOT immune to Windows virus but it can not spread to Linux from wine. Wipe wine reinstall and the virus is gone

In any case it is simply not needed to scan the full system.

On 2014-07-16 18:46, gogalthorp wrote:
>
> Wine is NOT immune to Windows virus but it can not spread to Linux from
> wine. Wipe wine reinstall and the virus is gone

Maybe. But it can do damage, like erase data files, read sensitive
documents, etc.

The bad guys could one day target a malware on Wine.

> In any case it is simply not needed to scan the full system.

Probably not.


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

Since I just installed wine and the 2 programs yesterday, I don’t suspect anything of them at this time. I have used these programs for years in my other OS’s, never once was anything detected.

Going back to earlier questions…
Avast has picked up on ClamAv’s daily signature on 2 occasions, today being one of them. On both occasions I allowed the file to be deleted. Now my Avast gives me a clean bill of health. Also I re-update the daily signatures in ClamAv, then I did a thorough scan and it now gives me a clean bill of health, no false positives.

If a program does not in itself connect to the web or network it is pretty safe. Virus don’t force there way in. Like vampires you have to invite them :open_mouth:

On 2014-07-16 23:36, gogalthorp wrote:
>
> If a program does not in itself connect to the web or network it is
> pretty safe. Virus don’t force there way in. Like vampires you have to
> invite them :open_mouth:

There have been serious attack with serious damage to isolated machines.
Infection vector unknown, probably social engineering to infect first a
usb stick that was later used on the target machine.


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

Members of the shoe network.

Point is that you have to activly do something to the machine to get a virus to load on a isolated machine. Now Windows used to be pretty bad because it would auto load programs on media insertion. Wonderful way to get a virus. Also aut running email attachments turned out to be a pretty bad idea. Then ther is always activeX and program code imbedded in a document. Really who thought that was a great idea. But in every case the user has to do something. Servers are a bit different since they actively are open to remote connections. But Desktops general are not. Also in Linux you must give permission for code to run. Any way no real chance to have a virus on an isolated machine unless a human carries it to that machine.

On 2014-07-17 02:26, gogalthorp wrote:
>
> Members of the shoe network.
>
> Point is that you have to activly do something to the machine to get a
> virus to load on a isolated machine.

Absolutely! Many people do not understand that.

Although you can be fooled into doing it without really knowing.

> Now Windows used to be pretty bad
> because it would auto load programs on media insertion. Wonderful way to
> get a virus.

True.

> Also aut running email attachments turned out to be a
> pretty bad idea.

Awful, IMO.

> Then ther is always activeX and program code imbedded
> in a document. Really who thought that was a great idea.

Well, adobe PDFs do, with javascript code, for many interesting reasons:
like form filling with verification and calculations. But can also be
used so that the document “phones home” to tell them what IP is reading
it (and login name, and who knows what). Can be abused, and even if not
a virus, dangerous.

> But in every
> case the user has to do something. Servers are a bit different since
> they actively are open to remote connections. But Desktops general are
> not. Also in Linux you must give permission for code to run. Any way no
> real chance to have a virus on an isolated machine unless a human
> carries it to that machine.

True.

But humans are good at finding ways. Like subverting one of the persons
in the maintenance staff, anywhere from software design shop to on site
technician.

Windows people are more vulnerable. For instance, most of the software
they use is payware, so they look at alternatives. And one of them is
getting pirated copies, sometimes via emule or torrent, and these can
include trojans.

It is very different for us, in Linux, that we can just pick a
repository from the OBS and get about anything for free.


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

You brought a curios thought to my mind. How can a person discover if a program is reporting to home.

On 2014-07-17 16:36, mike7757 wrote:
>
> gogalthorp;2654357 Wrote:
>> If a program does not in itself connect to the web or network it is
>> pretty safe. Virus don’t force there way in. Like vampires you have to
>> invite them :open_mouth:

> You brought a curios thought to my mind. How can a person discover if a
> program is reporting to home.

That’s a good one… I don’t know of a sure tell-tale.

If you happen to be on a metered internet connection, you watch the
network “meter” close. If not actually needed, you disconnect. So if
when you start a program in that circumstance, and it complains of no
network, you immediately suspect. If connected, and you see activity,
you also suspect. At first, nothing malicious, just “curious”, find out
what it does.

So you can start a tool like “iptraf” to see connections. Or you can use
“ntop” daemon, very nice and powerful, but it is more about statistics
than to figure out actual connection. But it will have a days long
record (less detailed with time and lots of activities, obviously)

When the suspicion is getting founded, you run instead “wireshark” aka
“ethereal”, and start that program. It will record all traffic. You can
also use tcpdump in CLI, too. Once you have a dump, you analyse it
closely…

There are some possibilities for blocking the phone home call. The one I
knew was with iptables. There appears to be another one with apparmour,
but this particular one I’m not sure how to use it.

There was a recent thread on the subject. This instant I don’t remember
the conclusion, and I’m on a different computer, difficult to track. I
think the OP was going to try some suggestion.


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

If I have to go by these few words, then I would have to say that I am in good shape. I have used these 2 programs for years on machines with no connection. Neither wished for a connection.

On 2014-07-17 19:46, mike7757 wrote:
>
> robin_listas;2654519 Wrote:
>> On 2014-07-17 16:36, mike7757 wrote:
>>>
>>> gogalthorp;2654357 Wrote:
>> If not actually needed, you disconnect. So if
>> when you start a program in that circumstance, and it complains of no
>> network, you immediately suspect.

> If I have to go by these few words, then I would have to say that I am
> in good shape. I have used these 2 programs for years on machines with
> no connection. Neither wished for a connection.

Ah, but being a sane paranoid⁽™⁾ you can’t go by that. The application
can just keep wisely silent and bid his chance… ;-p


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

I don’t mind being a sane paranoid, I think I will be in good company. LOL

I want to drag this topic back to the front page for a moment or two. I want to learn more about iptables and apparmor. In anyone’s opinion are the programs difficult or easy to config.