Virus or not? This is the question

NethServer Version: 7.9.2009
Module: ClamAV

Hello friends,

I have reinstalled ClamAV on my nethserver. My subscription to secureinfo had expired without registering it. Now I have reactivated that and changed to unofficial signatures in the signatures. After an almost six-hour scan, I am now being shown various detections that I can’t quite classify. Are these real viruses, or is there something wrong with my settings?

Regards…

Uwe

Fri Aug 19 13:41:02 2022

Scanned Folder: //run/log/journal/e8e0bba1fbe342df95b63f3ba7bade24/system.journal: sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.718.UNOFFICIAL FOUND

/var/lib/nethserver/backup/history/c00.tar.xz: sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.718.UNOFFICIAL FOUND

/var/lib/nethserver/vmail/root/Maildir/new/1660576850.M420435P11101.myserver.com,S=7745,W=7841: sigs.InterServer.net.HEX.Topline.virus.ip.172.81.134.47.365.UNOFFICIAL FOUND

/var/lib/nethserver/vmail/root/Maildir/new/1660749787.M571245P10450.myserver.com,S=5313,W=5387: sigs.InterServer.net.HEX.Topline.virus.ip.172.81.134.47.365.UNOFFICIAL FOUND

/var/lib/nethserver/vmail/root/Maildir/new/1660843096.M27078P31709.myserver.com,S=5907,W=5985: sigs.InterServer.net.HEX.Topline.malware.redirect.ecpms.net.718.UNOFFICIAL FOUND

/var/lib/nethserver/nextcloud/appdata_ocuvlob5okt4/backup/20220420193501-full-F51LAXAFEyjT9oR/app.zip: Sanesecurity.Foxhole.JS_Zip_1.UNOFFICIAL FOUND

/var/lib/tomcats/webtop/webapps/webtop/WEB-INF/lib/webtop-mail-5.15.4.jar: Sanesecurity.Foxhole.Zip_fs197.UNOFFICIAL FOUND

/var/lib/clamav/javascript.ndb: SecuriteInfo.com.JS.Exploit-16.UNOFFICIAL FOUND

/var/lib/clamav/interserver256.hdb: {HEX}php.malware.magento.585.UNOFFICIAL FOUND

/var/lib/clamav/twinclams.ldb: TwinWave.EvilDoc.DOCXRSTRGOOD.MSHTA.210816.UNOFFICIAL FOUND

/var/lib/clamav/interservertopline.db: sigs.InterServer.net.HEX.Topline.virus.ip.172.81.134.47.365.UNOFFICIAL FOUND

/var/lib/clamav/rfxn.ndb: SecuriteInfo.com.JS.Exploit-16.UNOFFICIAL FOUND

/var/lib/clamav/MiscreantPunch099-Low.ldb: TwinWave.EvilDoc.DOCXRSTRGOOD.MSHTA.210816.UNOFFICIAL FOUND

/var/log/messages: sigs.InterServer.net.HEX.Topline.virus.ip.172.81.134.47.365.UNOFFICIAL FOUND

/var/log/clamav/clamscan.log: sigs.InterServer.net.HEX.Topline.virus.ip.172.81.134.47.365.UNOFFICIAL FOUND

/usr/lib/rabbitmq/lib/rabbitmq_server-3.3.5/plugins/rabbitmq_management-3.3.5.ez: Sanesecurity.Foxhole.JS_Zip_16.UNOFFICIAL FOUND

/usr/share/cockpit/nethserver/js/app.d5c782d0.js.gz: Sanesecurity.Foxhole.GZip_js.UNOFFICIAL FOUND

/usr/share/cockpit/nethserver/js/chunk-vendors.d81d2afc.js.gz: Sanesecurity.Foxhole.GZip_js.UNOFFICIAL FOUND

/usr/share/nethserver-blacklist/ipsets/hphosts_emd.ipset: sigs.InterServer.net.HEX.Topline.blacklisted.ip.31.131.19.110.0RtXq6.376.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------

Known viruses: 4256238

Engine version: 0.103.7

Scanned directories: 45987

Scanned files: 205754

Infected files: 19

Data scanned: 50115.30 MB

Data read: 63865.74 MB (ratio 0.78:1)

Time: 20597.650 sec (343 m 17 s)

Start Date: 2022:08:19 13:41:02

End Date: 2022:08:19 19:24:19

Consider to submit the files to virustotal for several second opinions.

Hi@pike,

when I drag the file to my client and then scan it with Eset, no infection is displayed.

Regards…

Eset is only one vendor. Virustotal contact several other vendors and engines.
Again, take time to at least check some of them.

Most of them look like false positives.
For example the clamav dir /var/lib/clamav/ contains signature dbs which are wrongly detected.

Maybe it helps to set the “Third-party signatures rating” in the Antivirus application settings to “low”.
You could also exclude the files/folders in the clamscan settings.

Hi @mrmarkuz and @pike,

after I have scanned the files with two other virus scanners (BullGuard & MS Defender) and they did not find any infection, like ESET did before, I have removed the folders in question from the scan by Clamscan.

Case closed.