<Solved> Clam AV says Win.Trojan.Toa-5370234-0 in omni.ja -- real threat or false positive -- how know?

[HiFranc]

Yesterday and today, Clam AV (run from ClamTK) is reporting a Trojan in omni.ja. Yesterday, i deleted the file then Firefox wouldn't start. I ticked reinstall in Synaptic Package manager and the virus scanner came up with the same result when I ran it again. When I investigated further I couldn't find that particular error but did see that ClamAV did have some false positives.

/usr/lib/firefox/omni.ja Win.Trojan.Toa-5370234-0

I uninstalled mono when I installed my OS and I don't use wine. Given that it's a windows trojan, can I assume it's a false positive? Are there any checks I can do to rule out a genuine infection?

[karlchen]

Hello, HiFranc.

Permiting an antivirus software which searches for Windows malware to do so inside Linux executable files and Linux shared library files like omni.ja, is an almost funny idea.
What you could do is upload the file /usr/lib/firefox/omni.ja which ClamAV flags as malicious to Virustotal and get the feedback of roughly 55 different antivirus products on it.
Once you have been convinced that omni.ja is not malicious, you should stop ClamAV from tinkering with your Linux executables and shard libraries.

--Addendum--
Either you or other users have already uploaded omni.ja to Virustotal and learned that ClamAV is the only AV software which considers the file malicious: omni.ja - sha256: 73e27ac1e14e9b6109694f83ea8822fd1ff6b6b40e52b7a707062f4c599edcc1

Code: Select all

$ ls -l /usr/lib/firefox/omni.ja
-rw-r--r-- 1 root root 9757397 Dez  9 11:24 /usr/lib/firefox/omni.ja

Best regards,
Karl

[WharfRat]

Check grep omni.ja /var/lib/dpkg/info/firefox.md5sums against md5sum /usr/lib/firefox/omni.ja

If they match then it's a false positive.

[HiFranc]

md5s match. Thank you very much.

[karlchen]

Doing as WharfRat tells on my system yields these results:

Code: Select all

karl@unimatrix0 ~ $ md5sum /usr/lib/firefox/omni.ja
72eb6649a695ba1d301ec720c3dfd8ff  /usr/lib/firefox/omni.ja

karl@unimatrix0 ~ $ grep omni.ja /var/lib/dpkg/info/firefox.md5sums
9d78553b0810119b2d9298a12742474f  usr/lib/firefox/browser/omni.ja
72eb6649a695ba1d301ec720c3dfd8ff  usr/lib/firefox/omni.ja
karl@unimatrix0 ~ $ 

So on my system WharfRat's steps confirm what Virustotal had already suggested: ClamAV falsely flags the file as a Windows trojan.

[Mute Ant]

Code: Select all

### Checksum the installed firefox files...
    debsums firefox

Reports of 'OK' means your system's version matches the repository version. If it's malware, lots of other people will have the same problem.

[turtlebay]

May I suggest you now delete Clam completely if you are only running Linux. It's only use is in scanning individual files that are going to be used in a Windows operating system. I quite understand those coming from Windows thinking they need an anti virus program and their need to spend half their working day on housekeeping, like they were used to doing with MS, but you don't need any housekeeping with Linux, I promise!

[jimallyn]

On Pjotr's Easy Linux Tips Project site, he recommends that you NOT use any antivirus, and I think most of the experienced Linux users here agree with him. I have been using Linux (with no antivirus) on all my computers for 14 years, and in that time, none of my Linux computers have ever been infected with any virus or malware, nor has the computer of any Linux user that I know. (And having been a moderator/admin on several Linux forums for most of that time, I know a LOT of Linux users!) I won't say that it's impossible to get a virus on Linux, I've just never heard of it happening.

https://sites.google.com/site/easylinux ... t/security

[turtlebay]

As Linux users make up only about 2% of the population, virus makers aim for the mass market, ie Windows, as their chances of making a 'hit' are far more likely to get a result.
Also, as Linux always requires a password before any program is allowed to make changes to the system, no sane person would encourage a virus to take over.

[Fred Barclay]

As Linux users make up only about 2% of the population, virus makers aim for the mass market, ie Windows, as their chances of making a 'hit' are far more likely to get a result.
Also, as Linux always requires a password before any program is allowed to make changes to the system, no sane person would encourage a virus to take over.

I quite agree with your earlier statement about the uselessness of antivirus on Linux, but I would like to point out that "Linux users are only 2% of total"-security-through-obscurity model isn't quite right.
Yes, Linux desktop use is a very small amount (1.7-5% are the estimates I usually here) and if this was the sole use of Linux, then almost no one would bother targeting Linux users.

But in real life, Linux and Unix are also used to power most of the internet and control billions of dollars/euros/yen. There's plenty of motivation to hack Linux. IMHO, the crackers aren't aiming for Windows because it's the "mass market", but because it's much easier to hit than Linux, even if the reward is less.

[NickGordon]

Does anyone have access to the Clam AV signature to ascertain what this FP is hitting on? Is it a weak sig just looking for omni.ja files or md5, file path etc.?