Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

ClamTK Analysis


  • Please log in to reply
26 replies to this topic

#1 pcpunk

pcpunk

  • Members
  • 5,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:36 PM

Posted 01 July 2015 - 03:44 AM

Will you guys explain how to use the Analysis Function in ClamTK/AV?  Or is it even a useful tool, as in is it better just to look it up on the web?  

 

Here is what I ended up with tonight after scanning home /.

 

/home/chris/.cache/google-chrome/Default/Cache/f_010d36      PUA.Script.Packed-1                
/home/chris/.cache/google-chrome/Default/Cache/f_01041d      PUA.HTML.Exploit.CVE_2014_0322     
/home/chris/.cache/google-chrome/Default/Cache/f_0101b5      PUA.Http.Exploit.CVE_2015_1692     

sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 


BC AdBot (Login to Remove)

 


m

#2 Al1000

Al1000

  • Global Moderator
  • 6,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:11:36 PM

Posted 01 July 2015 - 03:57 AM

I've never heard of this "analysis" function, but it looks like ClamAV has analysed these files and thinks they are malware.

So I would search the internet for the names of the files in conjunction with ClamAV, and/or upload them to VirusTotal

#3 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 6,889 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:06:36 PM

Posted 01 July 2015 - 04:19 AM

I just quarantine these after scanning, they're likely tracking/ad cookies. 

 

Keep in mind that ClamTK is like SuperAntiSpyware on Windows, if you've ever used it, after each scan, you'll see several ad/tracking cookies, and can clean all in one sweep. 

 

If you're going to have ClamTK installed, may as well use it to your advantage by quarantining the items. As you see, they're browser ones & won't impact your OS in anyway. If you don't quarantine these, the list will grow longer & longer each time it's ran, and it would be senseless to keep an app installed & ignore the results. 

 

I run ClamTK every morning before shutting down the computer, and quarantine all items that are browser related, and have never had an issue. Seems that we've gone over ClamTK at least a dozen, if not more times. If you're going to run it & have issues with the results, then remove the app & be done with it. Otherwise quarantine these & move on. There is no harm in quarantining browser objects that you may pass along to another computer, in particular a Windows user on the same network. 

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,681 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:36 AM

Posted 01 July 2015 - 04:36 AM

Hi

do you mean the upload to analyse function? If so that is an option to upload a file if you think it has been detected/not detected in error.
The file will be reanalyesd and possibly reclassified depending on whether it was truly detected/not detected in error.

the files you have listed above are definitely not cookies. I also don't think clam av detects cookies by default. What you have there is the detection of an exploit that was downloaded onto your system to see if you were vulnerable. Most likely it failed since we see no other files and the exploits are for internet Explorer. :wink:

Regards
myrti
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+

#5 TsVk!

TsVk!

    penguin farmer


  • Members
  • 6,230 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Antipodes
  • Local time:09:36 AM

Posted 01 July 2015 - 05:03 AM

Windows malware still not working on Linux, after all this time.



#6 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 11,793 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:10:36 AM

Posted 01 July 2015 - 05:23 AM

f50ccf6960325a30500300e716154bbc4a05918f



#7 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 6,889 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:06:36 PM

Posted 02 July 2015 - 12:00 AM

Windows malware still not working on Linux, after all this time.

 

That must mean that Linux is doing something right! :thumbup2:

 

In 6+ years as a Linux user, over 6 of those Linux Mint, have never had an infected OS, only the items that ClamTK turns up, and an occasional Windows download that ESET for Linux will flag. There was one time that ESET also blocked a page from loading, must have been really bad for this to happen on a Linux OS, though it's a daily issue if running Windows. Depending on which security is being ran, if I stay on a Windows OS for more than a couple of hours, Web pages will be blocked at some point. 

 

That's the cool thing about Linux, and it's best selling point, is the ultra strong inbuilt security layers, even on the lightest distros. 

 

And normally ClamTK will only show 4 to 6 threats at the most after hours of using the computer. I feel it's a good tool, if not, wouldn't have been running it for years & always seeking the latest version possible, yet it's not suitable for all purposes, though great to run before shutdown of the computer. I clean any threats that are browser related, shut down & go on. ESET is always scanning the entire filesystem, so I run a Smart Scan 2-3 times weekly. 

 

I maintain my position, if one is going to run a scan of the /home directory with ClamTK, and ignore the results, then just remove the software & go on, Linux has other inbuilt security, and we've discussed other options in the last couple of weeks, in particular, Sophos Antivirus for Linux, 100% Free. It's likely more powerful anyway, and like ClamTK, on demand scans are required to get the results. 

 

What I don't believe in the least, is that any results that ClamTK shown means the system is infected. Just things that should be cleaned to prevent spreading to others on the same network, in particular, those whom are running Windows. 

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#8 pcpunk

pcpunk
  • Topic Starter

  • Members
  • 5,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:36 PM

Posted 02 July 2015 - 12:47 AM

Hi

do you mean the upload to analyse function? If so that is an option to upload a file if you think it has been detected/not detected in error.
The file will be reanalyesd and possibly reclassified depending on whether it was truly detected/not detected in error.

the files you have listed above are definitely not cookies. I also don't think clam av detects cookies by default. What you have there is the detection of an exploit that was downloaded onto your system to see if you were vulnerable. Most likely it failed since we see no other files and the exploits are for internet Explorer. :wink:

Regards
myrti

Yes myrti that is what I was asking, but it just says "Analyse" in my gui.  I thought it was just a quick/convenient way of looking these up to see what they are, thanks for the answer.  I understand your explanation but was a little confused at this part:  "detected/not"


Edited by pcpunk, 02 July 2015 - 12:49 AM.

sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 


#9 pcpunk

pcpunk
  • Topic Starter

  • Members
  • 5,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:36 PM

Posted 02 July 2015 - 01:00 AM

I run ClamTK every morning before shutting down the computer, and quarantine all items that are browser related, and have never had an issue.  That is what I was doing.

 

 

Seems that we've gone over ClamTK at least a dozen, if not more times. If you're going to run it & have issues with the results, then remove the app & be done with it. Otherwise quarantine these & move on. There is no harm in quarantining browser objects that you may pass along to another computer, in particular a Windows user on the same network.  I know this, the question was about the "Analyse" function.

 

Cat


sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 


#10 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 6,889 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:06:36 PM

Posted 02 July 2015 - 03:24 AM

To be honest, I don't use this function often, though when I just ran ClamTK a a weird thing happened, during the scan I seen an ESET notification, and an earlier one 4 hours ago, ESET NOD32 for Linux intercepted some of the results & quarantined these immediately.   

 

Screenshot-ESET%20NOD32%20Antivirus.png

 

Here's the active protection, all 6 of these events were tonight. 

 

Screenshot-ESET%20NOD32%20Antivirus-1.pn

 

Note that these took place as the other scan was running, the quarantined files goes back to 2011 when first seen be ESET. This has never happened before tonight on my computer. 

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#11 pcpunk

pcpunk
  • Topic Starter

  • Members
  • 5,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:36 PM

Posted 03 July 2015 - 07:05 PM

Your saying it intercepted results of ClamAV right?  

 

This has nothing to do with the Analysis function right?


sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 


#12 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 6,889 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:06:36 PM

Posted 04 July 2015 - 01:36 AM

Your saying it intercepted results of ClamAV right?  

 

This has nothing to do with the Analysis function right?

 

No, ESET intercepted the items of a ClamTK scan (a component of ClamAV), though note that the scan must complete before one can use the Analyze function. So even if I wanted to analyze these, these were already quarantined. Note that Al1000 verifies this (ClamTK being a GUI for ClamAV) to be the case on Post #36 in this Topic, where you were also a participant. 

 

http://www.bleepingcomputer.com/forums/t/566619/mint-kde-64bit-install/page-3

 

I have used the Analyze function from time to time, and the results were always hit or miss, often inconclusive or false positives. 

 

Just ran a scan, and used the Analyse function on all 6 threats found, and all turned up clean by the different scan engines, though not the same scan engines were listed for every threat. Yet I still quarantined them all, as I consider a threat a threat, after all, these are browser objects, not system files that we're speaking of & no harm done. At the very worst, all it could break is the browser, not the OS, though in over 6 years, have never seen this to happen. If these aren't threats, then ClamTK is a useless piece of software to be running. I don't know where they get their information from, how the app determines a threat to be one. Though I do also scan my /home directory weekly with ClamAV also, as well as ESET 2-3 times per week. 

 

As noted above, I did run the Analyse function & all turned up clean. Did yours do the same? You click onto the found threat & the option for Analyse is present. 

 

Cat


Edited by cat1092, 04 July 2015 - 02:13 AM.

Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#13 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 6,889 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:06:36 PM

Posted 04 July 2015 - 01:47 AM

Hi

do you mean the upload to analyse function? If so that is an option to upload a file if you think it has been detected/not detected in error.
The file will be reanalyesd and possibly reclassified depending on whether it was truly detected/not detected in error.

the files you have listed above are definitely not cookies. I also don't think clam av detects cookies by default. What you have there is the detection of an exploit that was downloaded onto your system to see if you were vulnerable. Most likely it failed since we see no other files and the exploits are for internet Explorer. :wink:

Regards
myrti

 

myrti, Thanks for the correction of my posting of these being 'cookies', the reason why I posted this was due to misleading information years ago. 

 

On some of the dedicated Linux forums & like stated was years ago, some members stated that running ClamTK was the equivalent of running SuperAntiSpyware on Windows. My bad for taking them for their word, at the same time was a very new Linux user in 2009 & dependent on other users for answers. 

 

Thanks for all that you do to keep us informed (& corrected when necessary). :)

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#14 marcoose777

marcoose777

  • Members
  • 63 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:36 AM

Posted 04 July 2015 - 05:23 PM

 

Will you guys explain how to use the Analysis Function in ClamTK/AV?  Or is it even a useful tool, as in is it better just to look it up on the web?  

 

Here is what I ended up with tonight after scanning home /.

 

/home/chris/.cache/google-chrome/Default/Cache/f_010d36      PUA.Script.Packed-1                
/home/chris/.cache/google-chrome/Default/Cache/f_01041d      PUA.HTML.Exploit.CVE_2014_0322     
/home/chris/.cache/google-chrome/Default/Cache/f_0101b5      PUA.Http.Exploit.CVE_2015_1692     

 

False positive:

PUA.Script.Packed-1

 

CVE_2014_0322:

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0313, CVE-2015-0315, and CVE-2015-0320.

 

If you have adobe flash for linux and its version code is older than 11.2.202.442, guess what this one targets. It doesn't mention any priviledge escalation so damage will be limited to your home directory/partition. You can worry about, you can uninstall adobe flash, or you can simply clean your web cache; The choice is yours. Open suse cve announcements rate it as a security annoyance

 

CVE_2015_1692

Microsoft Internet Explorer 7 through 11 allows user-assisted remote attackers to read the clipboard contents via crafted web script, aka "Internet Explorer Clipboard Information Disclosure Vulnerability."

 

You don't have M$ internet explorer verson 7-11 by any chance? i'd be surprised if you did as it's in chrome's cache. Then there's no need to  worry, clean your web cache to be gone with you.

 

In future if you're unsure then use google for CVE's (common vulnerabilities and exposure) or go here, then come back if you're unsure about the technical jargon. The PUA script was a simpel google search. With Linux you're expected to be a little self help oriented but if you don't ask questions then I guess you'll never learn.

 

You'll be pleased to know less tin foil is required for unix like OS's, as they have a small advantage over one other commercial OS in particular. They have user access control at the foundation by default. That's not the be all, end all though. Users can still deliberately install malware if they so choose. Also unix is just as prone to state snooping as any other OS, there is no magic armour there I'm afraid, they own the internetz.

 

:radioactive: :devil: Be Happy :devil: :radioactive:



#15 pcpunk

pcpunk
  • Topic Starter

  • Members
  • 5,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:06:36 PM

Posted 04 July 2015 - 06:40 PM

marcoose777  Thanks very much marcoose, that was very informative.  I am still learning how to find good info on all this stuff, I google it but don't know who to believe.  I do however Quarantine all this stuff, then delete if all is well.  Still need to be able to use VirusTotal and have done it once but don't understand it completely.

 

If I have quarantined a file and use virustotal, I will have to follow the path to the ClamAV quarantine file while on the VirusTotal site?  So many file pathways to know to get all this stuff done.  I was in Windows7 the other day and needed to install some software and it was all done for me LOL, just click click, no actual knowledge needed.

 

sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users