Announcement

Collapse
No announcement yet.

this is weird!

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    this is weird!

    I ran a virus scan in the wee hours of the morning and found 9 threats. When I woke up and sat down, I had Comodo quarantine them and rebooted. Done and done, right? Wrong. After I rebooted, the taskbar disappears and only reappears when I've got an application maximized. I had thought that part of the problem might be the "show desktop" icon on the taskbar, so I deleted it. No dice. Plus, when I can see it, it's covering up the top row of desktop icons (see screenshot). Clicking on "always visible" under taskbar settings does nothing. What am I missing? Thanks.


    Click image for larger version

Name:	snapshot3.jpg
Views:	1
Size:	78.4 KB
ID:	648985

    #2
    What were these 9 threats? I'm fascinated!

    The taskbar issue sounds like things I've seen that sorted themselves out after an unknown number of attempts to fix (or passing of time). Have you rebooted?
    Try setting it to "windows can go under", and then back again.
    If all else fails, you might have to delete the panel and make a new one.
    I'd rather be locked out than locked in.

    Comment


      #3
      Install rkhunter and chkrootkit from the repository and run them on your machine. (Ignore the Suckit false positive). Do they see the 9 infections?
      "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
      – John F. Kennedy, February 26, 1962.

      Comment


        #4
        Originally posted by markslaw View Post
        I ran a virus scan in the wee hours of the morning and found 9 threats.
        Yes, do please provide more details. If you really do have some infections, that would be of great interest (my background is infosec).

        Originally posted by GreyGeek View Post
        Install rkhunter and chkrootkit from the repository and run them on your machine.
        Installing these on an infected system is likely to be less than useful -- rootkits can hide from detectors. These tools work best when installed on a known clean machine since they look for deviations from the baseline, and the baseline can only be measured in a known clean state.

        Comment


          #5
          Originally posted by SteveRiley View Post
          Installing these on an infected system is likely to be less than useful -- rootkits can hide from detectors. These tools work best when installed on a known clean machine since they look for deviations from the baseline, and the baseline can only be measured in a known clean state.
          Can you run these tools from a live USB and bypass the "hiding"? Or is that not going to help?
          I'd rather be locked out than locked in.

          Comment


            #6
            Originally posted by SecretCode View Post
            Can you run these tools from a live USB and bypass the "hiding"? Or is that not going to help?
            You can, but then they're running only in signature scanning mode, which means they will discover only what they already can detect. They won't be able to flag unknown but suspicious behavior.

            Comment


              #7
              Originally posted by SteveRiley View Post
              You can, but then they're running only in signature scanning mode, which means they will discover only what they already can detect. They won't be able to flag unknown but suspicious behavior.
              Can an any AV detect what they don't have a signature for? I.E., if the malware' sig is not in the vaccine file.

              http://www.rackspace.com/knowledge_c...-with-rkhunter
              Neither rkhunter nor chkrootkit are necessarily better than the other and can easily be run at the same time, giving added defence measures and peace of mind.
              As with chkrootkit, rkhunter is not an active defence method. It does not prevent exploits being placed on your Server but it will inform you if there is a suspected exploit. Again, as with chkrootkit, if you have been exploited then the only real option is to reinstall with a fresh image.
              I use both, running as a crib job, to verify a possible infection. I've never found an infection. Since I started using Linux in 1998 I've never been infected or hacked, although several have tried. If I even suspected an infection I would wipe the drive and re-install.
              Last edited by GreyGeek; May 21, 2015, 03:09 PM.
              "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
              – John F. Kennedy, February 26, 1962.

              Comment


                #8
                Originally posted by GreyGeek View Post
                Can an any AV detect what they don't have a signature for? I.E., if the malware' sig is not in the vaccine file.
                These tools aren't don't protect against viruses.

                rkhunter:
                scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD.
                chrootkit:
                a shell script using common UNIX/Linux tools like the strings and grep commands to search core system programs for signatures and for comparing a traversal of the /proc filesystem with the output of the ps (process status) command to look for discrepancies.
                Essentially, these tools look for deviations from known good defaults, with a little bit of preprogrammed awareness of certain malicious patterns.

                Comment


                  #9
                  I agree. It has to be configuration. I've uninstalled flast, uninstalled firefox, disabled flash in chromium in the tools menu and it still sits there churning away. I'm almost ready to throw the thig against the wall! What are some possibilities besides flash being the culprit? What could I tweak that I haven't thought of yet?

                  Originally posted by Teunis
                  Surely Comodo has a log where the affected files are listed?
                  Did or do you have proprietary drivers like nVidia installed?

                  For me the symptoms look like the removal of some configuration file(s).

                  It would be good if someone takes the trouble to install and run it on the same software and see what's up.

                  Comment


                    #10
                    ..
                    Last edited by markslaw; May 24, 2015, 09:36 AM.

                    Comment


                      #11
                      Originally posted by GreyGeek View Post
                      Can an any AV detect what they don't have a signature for?
                      Modern AV software like Comodo usually includes "heuristic" routines that look for other clues beside just signature strings.
                      Comodo AntiVirus employs various heuristic techniques to identify previously unknown viruses and Trojans. 'Heuristics' describes the method of analyzing the code of a file to ascertain whether it contains code typical of a virus. If it is found to do so then the application deletes the file or recommends it for quarantine. Heuristics is about detecting virus-like behavior or attributes rather than looking for a precise virus signature that matches a signature on the virus blacklist.
                      I'd be curious to see the list of "threats" as well, markslaw.

                      Comment


                        #12
                        Originally posted by SeijiSensei View Post
                        Modern AV software like Comodo usually includes "heuristic" routines that look for other clues beside just signature strings.


                        I'd be curious to see the list of "threats" as well, markslaw.
                        And the rate of occurance of false positives.
                        "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                        – John F. Kennedy, February 26, 1962.

                        Comment


                          #13
                          Sure. Here's the list of threats Comodo identified:

                          Click image for larger version

Name:	snapshot4.jpg
Views:	1
Size:	74.2 KB
ID:	642872

                          First time, Comodo found nine, this time six. None since then. Not really sure what that means except that I'm not running Windoze, in which case, there would be about 35 per day!
                          Last edited by markslaw; May 25, 2015, 12:24 PM.

                          Comment


                            #14
                            That's a Windows Trojan.
                            http://www.symantec.com/security_res...011016-3514-99
                            Do you have installed WINE on your Linux partition?
                            If not the exe file cannot be executed. Perhaps a Java applet on a website you visited saved it but couldn't execute it.

                            What at about the possibility that Comodo is "salting the mine"?
                            Last edited by GreyGeek; May 25, 2015, 03:06 PM.
                            "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                            – John F. Kennedy, February 26, 1962.

                            Comment


                              #15
                              I find it interesting, if I am guessing some of the file paths correctly (~/.local/share/akonadi/), that it is finding some of these in the akonadi database, but not in an actual email. If akonadi indexed some malware code, it would also be present in the message itself and seen by the scanner, right?

                              Comment

                              Working...
                              X