Find the answer to your Linux question:
Results 1 to 4 of 4
Hello, I've carried out a scan on my VPS with Maldetect and it is reporting the following 16 hits - malware detect scan report for (removed): SCAN ID: 071814-1520.3088 TIME: ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Feb 2014
    Posts
    8

    Maldetect results - false positives?


    Hello,

    I've carried out a scan on my VPS with Maldetect and it is reporting the following 16 hits -

    malware detect scan report for (removed):
    SCAN ID: 071814-1520.3088
    TIME: Jul 18 15:26:02 +0100
    PATH: /home
    TOTAL FILES: 171480
    TOTAL HITS: 16
    TOTAL CLEANED: 1

    CLEANED & RESTORED FILES:
    /home/virtfs/magicalw/usr/local/src/maldetect-1.4.2/files/clean/gzbase64.inject$

    FILE HIT LIST:
    {HEX}php.exe.globals.394 : /home/cpeasyapache/src/php-5.4.24/ext/standard/tests$
    {MD5}php.exe.globals.3814 : /home/cpeasyapache/src/php-5.4.24/ext/standard/test$
    {HEX}gzbase64.inject.unclassed.15 : /home/virtfs/magicalw/usr/local/src/maldete$
    {HEX}perl.generic.fakeproc.49 : /home/virtfs/magicalw/usr/local/bandmin/bandmin$
    {HEX}perl.generic.fakeproc.49 : /home/virtfs/magicalw/usr/local/bandmin/bandmin$
    {HEX}perl.generic.fakeproc.49 : /home/virtfs/magicalw/usr/local/bandmin/ipaddrm$
    {HEX}perl.generic.fakeproc.49 : /home/virtfs/magicalw/usr/local/bandmin/bandmin$
    {HEX}perl.generic.fakeproc.49 : /home/virtfs/magicalw/usr/local/bandmin/htdocs/$
    {HEX}perl.generic.fakeproc.49 : /home/virtfs/magicalw/usr/local/bandmin/service$
    {HEX}perl.generic.fakeproc.49 : /home/virtfs/magicalw/usr/local/bandmin/bandmin$
    {HEX}perl.generic.fakeproc.49 : /home/virtfs/magicalw/usr/local/bandmin/bandmin$
    {HEX}perl.generic.fakeproc.49 : /home/virtfs/magicalw/usr/local/bandmin/bmversi$
    {HEX}php.nested.base64.526 : /home/virtfs/magicalw/usr/local/cpanel/whostmgr/do$
    {HEX}perl.generic.fakeproc.49 : /home/virtfs/magicalw/var/log/dcpumon/2014/Apr/$
    {HEX}perl.generic.fakeproc.49 : /home/virtfs/magicalw/var/log/dcpumon/2014/Mar/$
    {HEX}perl.generic.fakeproc.49 : /home/virtfs/magicalw/var/log/dcpumon/2014/Mar/$
    My host has responded with the following advice -

    All of those hits are false positives.

    Contents of /home/cpeasyapache always gets listed by Maldet without fail. You could do a fresh/clean install of cPanel and the results would be the same everytime. This is nothing to worry about.

    The other results within /home/virtfs are system files, which, once again are false positives.

    I suggest we modify /usr/local/maldetect/ignore_paths and add:

    /home/virtfs
    /home/cpeasyapache

    That will stop future maldet scans picking up these results which are not relevant to anything.
    Now if they are false positives, that's great. However, if Maldetect is told to ignore these areas, is there not a risk that real malware could go undetected in future scans?

    This is not my area of expertise, so I hope someone can give me a second opinion on this one.

    Many thanks,

    Myles

  2. #2
    Linux User sgosnell's Avatar
    Join Date
    Oct 2010
    Location
    Baja Oklahoma
    Posts
    485
    If the software always gives so many false positives, it might be a better idea to find better software.

  3. #3
    Just Joined!
    Join Date
    Feb 2014
    Posts
    8
    Quote Originally Posted by sgosnell View Post
    If the software always gives so many false positives, it might be a better idea to find better software.
    I suspect all good scanners are going to produce false positives. But I'm open to suggestions. What do you recommend?

  4. #4
    Linux Guru Rubberman's Avatar
    Join Date
    Apr 2009
    Location
    I can be found either 40 miles west of Chicago, in Chicago, or in a galaxy far, far away.
    Posts
    11,574
    All scanners give false positives. When I am scanning a Linux system, I always use 3 professional scanners, and only consider the ones that all agree are problems. Usually that == 0.
    Sometimes, real fast is almost as good as real time.
    Just remember, Semper Gumbi - always be flexible!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •