Mailing List Archive

I suspect that it's because there are several instances of malicious software that install xmr-stak unknowingly to the user who then become a miner bot for a cybercriminal.

If I were you I would just put it in a clamav.fp file so it will ignore your installation while still identifying any other instance that showed up.

Sent from my iPad

-Al-
ClamXAV User

> On Nov 18, 2021, at 23:23, happysmash27 via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> ?I decided to scan my entire /usr/ folder recently, as I heard about a malicious package in NPM and wanted to be extra sure nothing got into my system. I was slightly shocked when it finished, and it said there was 1 infected file. Unfortunately it did not list exactly what that infected file was, so I ran it again this time logging to a file and grepped that file for "FOUND", and the result was:
>
> /usr/bin/xmr-stak: Multios.Coinminer.Miner-6781728-2 FOUND
>
> But... XMR-Stak is _supposed_ to be a crypto miner. That is what it does. I installed it for that purpose, compiling it from source since I am on Gentoo.
>
> So... is this a false positive then? Or is this saying something else, like, that my version of XMR-Stak has malicious code to mine on some bad actor's pool instead of the one I tell it to mine in?
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

Al is right.

If you don’t want to detect it ignore it. Using the ignore functions.

—
Sent from my ? iPad

On Nov 19, 2021, at 03:49, Al Varnell via clamav-users <clamav-users@lists.clamav.net> wrote:

? I suspect that it's because there are several instances of malicious software that install xmr-stak unknowingly to the user who then become a miner bot for a cybercriminal.

If I were you I would just put it in a clamav.fp file so it will ignore your installation while still identifying any other instance that showed up.

Sent from my iPad

-Al-
ClamXAV User

On Nov 18, 2021, at 23:23, happysmash27 via clamav-users <clamav-users@lists.clamav.net> wrote:

?I decided to scan my entire /usr/ folder recently, as I heard about a malicious package in NPM and wanted to be extra sure nothing got into my system. I was slightly shocked when it finished, and it said there was 1 infected file. Unfortunately it did not list exactly what that infected file was, so I ran it again this time logging to a file and grepped that file for "FOUND", and the result was:

/usr/bin/xmr-stak: Multios.Coinminer.Miner-6781728-2 FOUND

But... XMR-Stak is _supposed_ to be a crypto miner. That is what it does. I installed it for that purpose, compiling it from source since I am on Gentoo.

So... is this a false positive then? Or is this saying something else, like, that my version of XMR-Stak has malicious code to mine on some bad actor's pool instead of the one I tell it to mine in?

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml