Hi there,
On Sat, 3 Oct 2020, Andrew C Aitchison via clamav-users wrote:
> On Sat, 3 Oct 2020, Mat via clamav-users wrote:
>
>> This removal(post infection) I am talking about on Linux platforms.
>
> To the best of my knowledge, ClamAV does not *remove* any malware.
>
> It is usually used to detect malware *prior* to infection;
> and I do not think that much effort has been made to teach it
> to detect infected systems (please tell me if I am wrong).
No, you're not wrong but it isn't black and white. As I said there is
a facility which can remove (or move) files which ClamAV identifies as
suspect but that's a long way from "removing ransomware". In the 21st
century malware is much more capable than it was in the early days and
a lot of it goes to quite a bit of trouble to make itself persistent.
Simply deleting a file or two is unlikley to be successful. You might
be lucky, but how do you know something stealthy wasn't left behind?
And if you happen to delete a perfectly innocent file because ClamAV
identified it falsely as malicious you can break the system.
Over twenty years ago I saw intrusions into Linux boxes where several
different binaries in the system were modified, so that if one file
was removed by root on the running system, by the time the next file
could be found and removed the first one had been re-infected. The
infected system files hid the processes that the malware used. Even
if you did delete all the infected files, the system would no longer
operate because the infected files were essential system binaries.
Those systems were infected because they were running an FTP server
which was vulnerable, but the really exasperating thing was that they
hadn't needed to run an FTP server. No FTP data was available, and
they shouldn't have been listening for FTP connections at all.
The way to deal with that kind of thing is to shut the system down and
very thoroughly inspect it, using a trusted system, and preferably do
a fresh installation. With malware now starting to affect firmware on
motherboards and in mass storage devices, even that isn't guaranteed
to fix the problem.
If ransomware has actually encrypted files on a system then ClamAV has
no facility to attempt to recover them. Indeed if the ransomware has
been coded carefully, then with current technology it is probably not
feasible to recover the encrypted files without the key for which you
have been asked to pay. That's one of the reasons so many people say
how important it is to make regular backups - and also to test them -
and not to run services that aren't required, and to keep up-to-date
with security patches, and all that other good stuff.
--
73,
Ged.
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml