clamav-users November 2010 archive
Main Archive Page > Month Archives  > clamav-users archives
clamav-users: Re: [Clamav-users] [Rkhunter-users] Please test rk

Re: [Clamav-users] [Rkhunter-users] Please test rkhunter-CVS.tar.gz

From: Chuck Swiger <cswiger_at_nospam>
Date: Tue Nov 09 2010 - 18:11:41 GMT
To: ClamAV users ML <clamav-users@lists.clamav.net>

On Nov 9, 2010, at 12:24 AM, Al Varnell wrote:
> The file /private/etc/crontab was placed there on the date/time the system
> was installed and has been modified a couple of times by some third party
> software that insists on using cron, but all have since been removed and was
> last opened at reboot, about twenty-four hours ago, apparently by launchd.

launchd doesn't actually read /etc/crontab, but it is responsible for starting the cron daemon.

If you look at /System/Library/LaunchDaemons/com.vix.cron.plist, one should note that it specifically checks whether /etc/crontab or files under /usr/lib/cron/tabs exist; launchd only runs cron if they do exist (ie, meaning that cron actually has something to do).

> This is the only other open question I have. I've tried removing the file,
> but it regenerates itself as soon as I open the directory in a Finder
> window. Google tells me that JVT NAL has something to do with a video
> sequence??? I can certainly try whitelisting, but that currently include
> 3267 files on my hard drive.

This probably means Finder created and cached thumbnail image of an H.264/MPEG-4 AVC format video file once you navigated to it in the filesystem. Frankly, RKHunter is better known for generating vast numbers of obscure false positives than it is for actually providing a security benefit.

Something like tripwire or a functioning backup system which can provide a comparison of changes against current filesystem state is much more likely to be useful.

Regards,
-- -Chuck _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml