Rou*_*her 10 ubuntu malware clamav amazon-web-services aws-ec2
今天 clamAV 扫描了我的 AWS 实例,并在每个实例上检测到 24 个受感染的文件。由于以下几个原因,它看起来像是误报:
那么,我的问题是,在这种情况下我的下一步应该是什么?我应该删除这些文件吗?据我了解,它们可能是其他应用程序可以使用的系统文件。
2023-06-07T13:03:41.658+03:00 /snap/amazon-ssm-agent/6563/amazon-ssm-agent: Unix.Malware.Kaiji-10003916-0 FOUND
2023-06-07T13:03:42.909+03:00 /snap/amazon-ssm-agent/6563/ssm-agent-worker: Unix.Malware.Kaiji-10003916-0 FOUND
2023-06-07T13:03:44.659+03:00 /snap/amazon-ssm-agent/6563/ssm-cli: Unix.Malware.Kaiji-10003916-0 FOUND
2023-06-07T13:03:45.660+03:00 /snap/amazon-ssm-agent/6563/ssm-document-worker: Unix.Malware.Kaiji-10003916-0 FOUND
2023-06-07T13:03:46.910+03:00 /snap/amazon-ssm-agent/6563/ssm-session-logger: Unix.Malware.Kaiji-10003916-0 FOUND
2023-06-07T13:03:47.910+03:00 /snap/amazon-ssm-agent/6563/ssm-session-worker: Unix.Malware.Kaiji-10003916-0 FOUND
2023-06-07T13:03:49.411+03:00 /snap/amazon-ssm-agent/6312/amazon-ssm-agent: Unix.Malware.Kaiji-10003916-0 FOUND
2023-06-07T13:03:50.662+03:00 /snap/amazon-ssm-agent/6312/ssm-agent-worker: Unix.Malware.Kaiji-10003916-0 FOUND
2023-06-07T13:03:51.912+03:00 /snap/amazon-ssm-agent/6312/ssm-cli: Unix.Malware.Kaiji-10003916-0 FOUND
2023-06-07T13:03:52.912+03:00 /snap/amazon-ssm-agent/6312/ssm-document-worker: Unix.Malware.Kaiji-10003916-0 FOUND
2023-06-07T13:03:53.913+03:00 /snap/amazon-ssm-agent/6312/ssm-session-logger: Unix.Malware.Kaiji-10003916-0 FOUND
2023-06-07T13:03:55.413+03:00 /snap/amazon-ssm-agent/6312/ssm-session-worker: Unix.Malware.Kaiji-10003916-0 FOUND
2023-06-07T13:03:56.695+03:00 /snap/lxd/24061/bin/lxc: Unix.Malware.Kaiji-10003916-0 FOUND
2023-06-07T13:03:57.414+03:00 /snap/lxd/24061/bin/lxc-to-lxd: Unix.Malware.Kaiji-10003916-0 FOUND
2023-06-07T13:03:58.164+03:00 /snap/lxd/24061/bin/lxd-agent: Unix.Malware.Kaiji-10003916-0 FOUND
2023-06-07T13:03:58.915+03:00 /snap/lxd/24061/bin/lxd-benchmark: Unix.Malware.Kaiji-10003916-0 FOUND
2023-06-07T13:04:01.666+03:00 /snap/lxd/24061/bin/lxd-migrate: Unix.Malware.Kaiji-10003916-0 FOUND
2023-06-07T13:04:06.073+03:00 /snap/lxd/24061/bin/snap-query: Unix.Malware.Kaiji-10003916-0 FOUND
2023-06-07T13:04:12.420+03:00 /snap/lxd/23991/bin/lxc: Unix.Malware.Kaiji-10003916-0 FOUND
2023-06-07T13:04:13.170+03:00 /snap/lxd/23991/bin/lxc-to-lxd: Unix.Malware.Kaiji-10003916-0 FOUND
2023-06-07T13:04:13.920+03:00 /snap/lxd/23991/bin/lxd-agent: Unix.Malware.Kaiji-10003916-0 FOUND
2023-06-07T13:04:14.671+03:00 /snap/lxd/23991/bin/lxd-benchmark: Unix.Malware.Kaiji-10003916-0 FOUND
2023-06-07T13:04:16.171+03:00 /snap/lxd/23991/bin/lxd-migrate: Unix.Malware.Kaiji-10003916-0 FOUND
2023-06-07T13:04:21.073+03:00 /snap/lxd/23991/bin/snap-query: Unix.Malware.Kaiji-10003916-0 FOUND
小智 13
我向 ClamAV 提交了一份误报报告:https://www.clamav.net/reports/fp
这是我提交的描述:
The attached "helper" file was retrieved by running:
docker cp "$(docker container create gcr.io/paketo-buildpacks/ca-certificates:3.6.2@sha256:87b389fa631c6d6bbdaef30b5b963b300a4cba87c0ab8e9d00e3e5c2496117d3 -d)":/cnb/buildpacks/paketo-buildpacks_ca-certificates/3.6.2/bin/helper .
clamscan run on that file outputs:
helper: Unix.Malware.Kaiji-10003916-0 FOUND
That docker image is from https://github.com/paketo-buildpacks/ca-certificates/releases/tag/v3.6.2
Unix.Malware.Kaiji-10003916-0 is being detected in many files - this is just one sample. This false positive, new today, was also raised on stackoverflow at https://serverfault.com/questions/1132808/clamav-detected-kaiji-malware-on-ubuntu-instance
我还helper通过virustotal运行了该文件:https://www.virustotal.com/gui/file-analysis/NmUzNWM2MGVhZWVmNmU5ODAxYTExOWVhMTNkNGM1MGM6MTY4NjE0NzAzNg==
除了 clamav 之外,没有任何扫描程序检测到此文件中的病毒。
刚刚发布了每日签名数据库的带外更新,删除了此签名: https: //lists.clamav.net/pipermail/clamav-virusdb/2023-June/008315.html
至此,这个误报问题现已解决。
我还在他们的discord中向ClamAV 报告了这个问题。