Mailing List Archive

[clamav-users] WARNING: clamav quarantined libcurl.so.4.5.0 and broke a bunch of hosts
Others should be aware that last night our nightly ClamAV scan
quarantined /usr/lib64/libcurl.so.4.5.0 and also a copy inside of Matlab
2019 commercial software on all of our RHEL 8.5 (brand new release)
systems. This broke all sorts of things on our hosts, including DNF/yum
which uses curl.

/usr/lib64/libcurl.so.4.5.0: Unix.Trojan.Coinminer-9910195-0 FOUND

Jeff
Re: [clamav-users] WARNING: clamav quarantined libcurl.so.4.5.0 and broke a bunch of hosts [ In reply to ]
Hi there,

On Thu, 18 Nov 2021, Jeff Blaine via clamav-users wrote:

> Others should be aware that last night our nightly ClamAV scan quarantined
> /usr/lib64/libcurl.so.4.5.0 and also a copy inside of Matlab 2019 commercial
> software on all of our RHEL 8.5 (brand new release) systems. This broke all
> sorts of things on our hosts, including DNF/yum which uses curl.
>
> /usr/lib64/libcurl.so.4.5.0: Unix.Trojan.Coinminer-9910195-0 FOUND

Has ClamAV ever actually found _anything_ malicious in the root-owned
system files on your Linux boxes?

Long ago I lost count of the number of times I've said on this list
that if you're not careful with ClamAV, you'll probably pose a bigger
danger to your systems than the threats that you think ClamAV will be
defending against, and certainly a bigger danger than those threats
which ClamAV is capable of detecting (the two being rather different
things - by my reckoning detection rates are a few percent, as I've
also said here).

False positives are an inescapable fact of life with signatures, and
as there are hundreds of new signatures on an average day, letting
ClamAV move system files on a typical Linux box is totally crackers
and more or less guaranteed to end in tears eventually.

Unless you're running a honeypot, regularly scanning bits of systems
which can only be modified by root is IMO nuts, and a complete waste
of time and energy. Quarantining files will not help at all. ClamAV
is not capable of fixing a system that's been compromised. If things
that can only be modified by root have been modified by a malicious
actor the game is already over, you lost it, and it's time to rebuild
the box from scratch because you can't trust anything on it.

ClamAV is not an alternative to properly securing your systems.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: [clamav-users] WARNING: clamav quarantined libcurl.so.4.5.0 and broke a bunch of hosts [ In reply to ]
Unix.Trojan.Coinminer-9910195-0 has been dropped in the latest daily.cvd
release.

On Thu, Nov 18, 2021 at 11:57 AM Jeff Blaine via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Others should be aware that last night our nightly ClamAV scan quarantined
> /usr/lib64/libcurl.so.4.5.0 and also a copy inside of Matlab 2019
> commercial software on all of our RHEL 8.5 (brand new release) systems.
> This broke all sorts of things on our hosts, including DNF/yum which uses
> curl.
>
> /usr/lib64/libcurl.so.4.5.0: Unix.Trojan.Coinminer-9910195-0 FOUND
>
> Jeff
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


--
Christopher Marczewski
Research Engineer, Talos
Cisco Systems
443-832-2975