Announcement

**SecretCode** · May 18, 2015, 10:45 AM

What were these 9 threats? I'm fascinated!

The taskbar issue sounds like things I've seen that sorted themselves out after an unknown number of attempts to fix (or passing of time). Have you rebooted?
Try setting it to "windows can go under", and then back again.
If all else fails, you might have to delete the panel and make a new one.

**GreyGeek** · May 18, 2015, 01:19 PM

Install rkhunter and chkrootkit from the repository and run them on your machine. (Ignore the Suckit false positive). Do they see the 9 infections?

**SteveRiley** · May 20, 2015, 10:55 PM

Originally posted by markslaw View Post

I ran a virus scan in the wee hours of the morning and found 9 threats.

Yes, do please provide more details. If you really do have some infections, that would be of great interest (my background is infosec).

Originally posted by GreyGeek View Post

Install rkhunter and chkrootkit from the repository and run them on your machine.

Installing these on an infected system is likely to be less than useful -- rootkits can hide from detectors. These tools work best when installed on a known clean machine since they look for deviations from the baseline, and the baseline can only be measured in a known clean state.

**SecretCode** · May 21, 2015, 07:39 AM

Originally posted by SteveRiley View Post

Installing these on an infected system is likely to be less than useful -- rootkits can hide from detectors. These tools work best when installed on a known clean machine since they look for deviations from the baseline, and the baseline can only be measured in a known clean state.

Can you run these tools from a live USB and bypass the "hiding"? Or is that not going to help?

**SteveRiley** · May 21, 2015, 11:06 AM

Originally posted by SecretCode View Post

Can you run these tools from a live USB and bypass the "hiding"? Or is that not going to help?

You can, but then they're running only in signature scanning mode, which means they will discover only what they already can detect. They won't be able to flag unknown but suspicious behavior.

**GreyGeek** · May 21, 2015, 03:03 PM

Originally posted by SteveRiley View Post

You can, but then they're running only in signature scanning mode, which means they will discover only what they already can detect. They won't be able to flag unknown but suspicious behavior.

Can an any AV detect what they don't have a signature for? I.E., if the malware' sig is not in the vaccine file.

http://www.rackspace.com/knowledge_c...-with-rkhunter

Neither rkhunter nor chkrootkit are necessarily better than the other and can easily be run at the same time, giving added defence measures and peace of mind.
As with chkrootkit, rkhunter is not an active defence method. It does not prevent exploits being placed on your Server but it will inform you if there is a suspected exploit. Again, as with chkrootkit, if you have been exploited then the only real option is to reinstall with a fresh image.

I use both, running as a crib job, to verify a possible infection. I've never found an infection. Since I started using Linux in 1998 I've never been infected or hacked, although several have tried. If I even suspected an infection I would wipe the drive and re-install.

**SteveRiley** · May 21, 2015, 03:10 PM

Originally posted by GreyGeek View Post

Can an any AV detect what they don't have a signature for? I.E., if the malware' sig is not in the vaccine file.

These tools aren't don't protect against viruses.

rkhunter:

scans for rootkits, backdoors and possible local exploits. It does this by comparing SHA-1 hashes of important files with known good ones in online databases, searching for default directories (of rootkits), wrong permissions, hidden files, suspicious strings in kernel modules, and special tests for Linux and FreeBSD.

chrootkit:

a shell script using common UNIX/Linux tools like the strings and grep commands to search core system programs for signatures and for comparing a traversal of the /proc filesystem with the output of the ps (process status) command to look for discrepancies.

Essentially, these tools look for deviations from known good defaults, with a little bit of preprogrammed awareness of certain malicious patterns.

**markslaw** · May 22, 2015, 10:29 PM

I agree. It has to be configuration. I've uninstalled flast, uninstalled firefox, disabled flash in chromium in the tools menu and it still sits there churning away. I'm almost ready to throw the thig against the wall! What are some possibilities besides flash being the culprit? What could I tweak that I haven't thought of yet?

Originally posted by Teunis

Surely Comodo has a log where the affected files are listed?
Did or do you have proprietary drivers like nVidia installed?

For me the symptoms look like the removal of some configuration file(s).

It would be good if someone takes the trouble to install and run it on the same software and see what's up.

**markslaw** · May 24, 2015, 09:31 AM

..

**SeijiSensei** · May 24, 2015, 09:54 PM

Originally posted by GreyGeek View Post

Can an any AV detect what they don't have a signature for?

Modern AV software like Comodo usually includes "heuristic" routines that look for other clues beside just signature strings.

Comodo AntiVirus employs various heuristic techniques to identify previously unknown viruses and Trojans. 'Heuristics' describes the method of analyzing the code of a file to ascertain whether it contains code typical of a virus. If it is found to do so then the application deletes the file or recommends it for quarantine. Heuristics is about detecting virus-like behavior or attributes rather than looking for a precise virus signature that matches a signature on the virus blacklist.

I'd be curious to see the list of "threats" as well, markslaw.

**GreyGeek** · May 25, 2015, 11:52 AM

Originally posted by SeijiSensei View Post

Modern AV software like Comodo usually includes "heuristic" routines that look for other clues beside just signature strings.

I'd be curious to see the list of "threats" as well, markslaw.

And the rate of occurance of false positives.

**markslaw** · May 25, 2015, 12:22 PM

Sure. Here's the list of threats Comodo identified:

First time, Comodo found nine, this time six. None since then. Not really sure what that means except that I'm not running Windoze, in which case, there would be about 35 per day!

**GreyGeek** · May 25, 2015, 02:56 PM

That's a Windows Trojan.
http://www.symantec.com/security_res...011016-3514-99
Do you have installed WINE on your Linux partition?
If not the exe file cannot be executed. Perhaps a Java applet on a website you visited saved it but couldn't execute it.

What at about the possibility that Comodo is "salting the mine"?

**claydoh** · May 25, 2015, 04:43 PM

I find it interesting, if I am guessing some of the file paths correctly (~/.local/share/akonadi/), that it is finding some of these in the akonadi database, but not in an actual email. If akonadi indexed some malware code, it would also be present in the message itself and seen by the scanner, right?

Announcement

this is weird!

this is weird!

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment