Why are there about 450k files in Zorin Lite? Scanning with ClamTK takes hours. Looking at some of the files there appear to be a lot of duplicates to a novice. Any ideas?
Flatpaks and snaps pulls their own dependencies is my guess. You could try make a flat and snap free environment.
1 Like
A note, you don't need to scan your system with Clam, just your home folder. To get a virus in root is practically zero if you install only from the software center.
3 Likes
You also need to disable the PUA function in ClamTk. It has never worked, even in Windows version. However you do need to protect your system from rootkits. Install rkhunter and chkrootkit.
1 Like
When I scan my Core Version System (around 400.000-410.000) it needs 30-40 Minutes. Do You have maybe other Programs open or Background Processes?
No just a slow 2008 CPU.
rkhunter is reporting 6 rootkits on my machine on first run. Help! Couldn't get chkrootkit to run as it said it couldn't find netstat.
Can you provide a screenshot?
System checks summary
[20:44:41] =====================
[20:44:41]
[20:44:41] File properties checks...
[20:44:41] Files checked: 137
[20:44:41] Suspect files: 6
[20:44:41]
[20:44:41] Rootkit checks...
[20:44:41] Rootkits checked : 471
[20:44:41] Possible rootkits: 6
[20:44:41] Rootkit names : Spam tool component
[20:44:41]
[20:44:41] Applications checks...
[20:44:41] All checks skipped
[20:44:41]
[20:44:41] The system checks took: 6 minutes and 2 seconds
Got chkrootkit working after installing it from apt and it flagged the following and so it just remains the 6 spam tools found by rkhunter.
Searching for suspicious files and dirs, it may take a while... The following suspicious files and directories were found:
/usr/lib/modules/6.5.0-45-generic/vdso/.build-id
/usr/lib/modules/6.5.0-44-generic/vdso/.build-id
/usr/lib/modules/6.5.0-27-generic/vdso/.build-id
/usr/lib/libreoffice/share/.registry
False positive looks like it.
3 Likes
You could take the 6 Files an scan them with Clam and in the second Step on virustotal:
Look at the rkhunter log file for "Warnings" you may have seen in red when you did the scan.
To view log file:
sudo less /var/log/rkhunter.log
Hit q or Q to exit
In the past I have seen:
Warning: suspicious (large) shared memory segments...
Warning: hidden directory found: etc/.java
which I have put down to being false positives.
All seems ok except for
Warning: The command '/usr/sbin/adduser' has been replaced by a script: /usr/sbin/adduser: Perl script text executable
Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable
Warning: The command '/usr/bin/ldd' has been replaced by a script: /usr/bin/ldd: Bourne-Again shell script, ASCII text executable
Warning: The command '/usr/bin/lwp-request' has been replaced by a script: /usr/bin/lwp-request: Perl script text executable
Warning: The command '/usr/bin/which.debianutils' has been replaced by a script: /usr/bin/which.debianutils: POSIX shell script, ASCII text executable
Are these Zorin tweaks of the Linux OS?
When I use rkhunter, I use the pkgmgr dpkg option, assuming ZorinOS package source can be trusted.
e.g. commands:
sudo rkhunter --propupd --pkgmgr dpkg
then
sudo rkhunter --check --pkgmgr dpkg
That may eliminate some false-positive rkhunter warnings.
See from line 410 of the Readme file here: Rootkit Hunter / Code / [016a77] /files/README
2 Likes
Right ran the command lines above and left with two warnings.
Warning: The command '/usr/bin/egrep' has been replaced by a script: /usr/bin/egrep: POSIX shell script, ASCII text executable
Warning: The command '/usr/bin/fgrep' has been replaced by a script: /usr/bin/fgrep: POSIX shell script, ASCII text executable
Couple of false positives?
Rkhunter Warnings Re: egrep and fgrep seem common from the bit of websearching I have just done. Also found this: Rootkit Hunter / Bugs / #178 rkhunter generates "bogus" grep warnings
This may also be of interest to Rkhunter users, wondering if it is still being maintained after 2018 : Re: [Rkhunter-users] Future of rkhunter (Was: Still under support?) | Rootkit Hunter
1 Like
This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.