clamav-users November 2010 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: Re: [Clamav-users] [Rkhunter-users] Please test rk

Re: [Clamav-users] [Rkhunter-users] Please test rkhunter-CVS.tar.gz

From: Al Varnell <alvarnell_at_nospam>
Date: Tue Nov 09 2010 - 08:24:09 GMT
To: John Horne <john.horne@plymouth.ac.uk>, "unspawn@hushmail.com" <unspawn@hushmail.com>, ClamAV users <clamav-users@lists.clamav.net>

On 11/4/10 9:06 PM, "Al Varnell" <alvarnell@mac.com> wrote:

>>> [18:22:47] Info: Starting test name 'running_procs'
>>> [18:25:42] Checking running processes for suspicious files [ Warning ]
>>> [18:25:43] Warning: The following processes are using suspicious files:
>>> [18:25:44] Command: launchd
>>> [18:25:45] UID: 0 PID: 1
>>> [18:25:46] Pathname: /private/etc/crontab
>>> [18:25:47] Possible Rootkit: Unknown rootkit
>>>
>> I suspect this is a false-positive. RKH just happened to catch launchd
>> using crontab. On my Linux box it is probably possible for RKH to catch
>> 'crond' catching the same crontab file. If you re-run RKH the warning
>> may well have disappeared.
>>
> I think this is the only thing I haven't been able to figure out. I don't
> understand why launchd is connected with /private/etc/crontab at all. launchd
> does launch cron at startup and obviously cron would be looking at this.
> What's more, this file is totally blank...zero length with no resource fork.
> cron is not normally used by OSX any more, although some third party software
> I have tried out continues to do so. I have tried a couple of them, but all
> have been uninstalled. I'll keep my eye on it.
>
So I've checked this several times since and it still shows up. Tonight I
downloaded your latest candidate and there has been no change.

The file /private/etc/crontab was placed there on the date/time the system
was installed and has been modified a couple of times by some third party
software that insists on using cron, but all have since been removed and was
last opened at reboot, about twenty-four hours ago, apparently by launchd.

Any more ideas?

>>> [19:03:56] Checking for hidden files and directories [
>>> Warning ]
>>> [19:03:57] Warning: Hidden file found: /etc/.DS_Store: JVT NAL
>>> sequence
>> While trusting searches on *file name only* are bad dot-file names
>> do cause false positives often. This one by name seems to contain
>> metadata information so if inspection confirms that it could be
>> white-listed.
>>
> You are correct. There is potentially an invisible .DS_Store file in each
> directory. It does contain metadata for Finder about how the directory is
> displayed, etc. I'm just not sure why it's picking on this one and what "JVT
> NAL" has to do with it.

This is the only other open question I have. I've tried removing the file,
but it regenerates itself as soon as I open the directory in a Finder
window. Google tells me that JVT NAL has something to do with a video
sequence??? I can certainly try whitelisting, but that currently include
3267 files on my hard drive.

-Al-
 
-- Al Varnell Mountain View, CA _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml