clamav shows your files with virus

Forum for getting help with Project Gamera, Spamassassin, Clamav, qmail-scanner and other anti-spam tools.
mneese
Forum Regular
Forum Regular
Posts: 218
Joined: Thu Apr 23, 2009 12:08 pm

clamav shows your files with virus

Unread post by mneese »

i have setup for yum repository and installed your clamav as well as your mod_security. The mod_security rules were downloaded from delayed rules at:

http://downloads.prometheus-group.com/delayed/rules/

clamscan shows the domain-blacklist.txt file (mod_security rules) as well as an extended amount of the clamscan files themselves with viruses.

Is this clamscan functioning correctly? Downloaded through your repository system, are there issues or are 50+ files reported with virus correct? Are the mod_security rules safe?
User avatar
mikeshinn
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 4149
Joined: Thu Feb 07, 2008 7:49 pm
Location: Chantilly, VA

Re: clamav shows your files with virus

Unread post by mikeshinn »

The rules are safe, but you really should post the output of your clamscan. If you mean its showing things like this:

MBL_37439.UNOFFICIAL FOUND

Yes, thats normal - because those same rules are also replicated in the domain and mailware blacklists. The MBL is a malware blacklist and there is overlap between the two.

Or something like this:

PHP.ShellExec.Web-downloader.ASL.190703202513.UNOFFICIAL FOUND

Yes, thats also because the modsec rules and our clamav rules share the same base - its the same signatures in different formats.

Try running any antivirus product against its own files, you'll see the same things.
mneese
Forum Regular
Forum Regular
Posts: 218
Joined: Thu Apr 23, 2009 12:08 pm

Re: clamav shows your files with virus

Unread post by mneese »

Okay, I am getting the similar response, and i have downloaded the files to my computer and ran the ESET virus scan on these files and they pass ok, so they should be all-right.

/etc/httpd/modsecurity.d/domain-blacklist.txt: MBL_37439.UNOFFICIAL FOUND
Thu May 7 14:12:43 2009 -> /etc/httpd/modsecurity.d/malware-blacklist-high.txt: MBL_62039.UNOFFICIAL FOUND
Thu May 7 14:12:43 2009 -> /etc/httpd/modsecurity.d/malware-blacklist.txt: MBL_102618.UNOFFICIAL FOUND
Thu May 7 14:12:43 2009 -> /etc/httpd/modsecurity.d/modsec-2.5-free-latest.tar.gz: MBL_62039.UNOFFICIAL FOUND
Thu May 7 14:12:44 2009 -> /etc/httpd/modsecurity.d/modsec/domain-blacklist.txt: MBL_37439.UNOFFICIAL FOUND
Thu May 7 14:12:44 2009 -> /etc/httpd/modsecurity.d/modsec/malware-blacklist-high.txt: MBL_62039.UNOFFICIAL FOUND
Thu May 7 14:12:44 2009 -> /etc/httpd/modsecurity.d/modsec/malware-blacklist.txt: MBL_102618.UNOFFICIAL FOUND

Thanks for the fine repository system and protection you offer. When i finally get this VPS squared away i shall look into the active subscription. I am new to webservers and such, and my hesitation is "do i really want to handle this stuff" or just have websites on shared hosting plans? Until i am fully committed, i will look to the mod_security delayed plan. Thanks.
Post Reply