<Solved> Clam AV says Win.Trojan.Toa-5370234-0 in omni.ja -- real threat or false positive -- how know?

All Gurus once were Newbies
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Please stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions prefer the other forums within the support section.
Before you post please read how to get help
Post Reply
HiFranc
Level 1
Level 1
Posts: 11
Joined: Sun Aug 21, 2016 11:36 am

<Solved> Clam AV says Win.Trojan.Toa-5370234-0 in omni.ja -- real threat or false positive -- how know?

Post by HiFranc » Sun Dec 25, 2016 9:44 am

Yesterday and today, Clam AV (run from ClamTK) is reporting a Trojan in omni.ja. Yesterday, i deleted the file then Firefox wouldn't start. I ticked reinstall in Synaptic Package manager and the virus scanner came up with the same result when I ran it again. When I investigated further I couldn't find that particular error but did see that ClamAV did have some false positives.
/usr/lib/firefox/omni.ja Win.Trojan.Toa-5370234-0
I uninstalled mono when I installed my OS and I don't use wine. Given that it's a windows trojan, can I assume it's a false positive? Are there any checks I can do to rule out a genuine infection?
Last edited by HiFranc on Sun Dec 25, 2016 9:59 am, edited 1 time in total.

User avatar
karlchen
Level 18
Level 18
Posts: 8918
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Clam AV says Win.Trojan.Toa-5370234-0 in omni.ja -- real threat or false positive -- how know?

Post by karlchen » Sun Dec 25, 2016 9:49 am

Hello, HiFranc.

Permiting an antivirus software which searches for Windows malware to do so inside Linux executable files and Linux shared library files like omni.ja, is an almost funny idea.
What you could do is upload the file /usr/lib/firefox/omni.ja which ClamAV flags as malicious to Virustotal and get the feedback of roughly 55 different antivirus products on it.
Once you have been convinced that omni.ja is not malicious, you should stop ClamAV from tinkering with your Linux executables and shard libraries.

--Addendum--
Either you or other users have already uploaded omni.ja to Virustotal and learned that ClamAV is the only AV software which considers the file malicious: omni.ja - sha256: 73e27ac1e14e9b6109694f83ea8822fd1ff6b6b40e52b7a707062f4c599edcc1

Code: Select all

$ ls -l /usr/lib/firefox/omni.ja
-rw-r--r-- 1 root root 9757397 Dez  9 11:24 /usr/lib/firefox/omni.ja
Best regards,
Karl
Image
Old bugs good, new bugs bad! Updates are evil: might fix old bugs and introduce no new ones.

User avatar
WharfRat
Level 20
Level 20
Posts: 11365
Joined: Thu Apr 07, 2011 8:15 pm

Re: Clam AV says Win.Trojan.Toa-5370234-0 in omni.ja -- real threat or false positive -- how know?

Post by WharfRat » Sun Dec 25, 2016 9:53 am

Check grep omni.ja /var/lib/dpkg/info/firefox.md5sums against md5sum /usr/lib/firefox/omni.ja

If they match then it's a false positive.
ImageImage

HiFranc
Level 1
Level 1
Posts: 11
Joined: Sun Aug 21, 2016 11:36 am

Re: Clam AV says Win.Trojan.Toa-5370234-0 in omni.ja -- real threat or false positive -- how know?

Post by HiFranc » Sun Dec 25, 2016 9:58 am

md5s match. Thank you very much.

User avatar
karlchen
Level 18
Level 18
Posts: 8918
Joined: Sat Dec 31, 2011 7:21 am
Location: Germany

Re: Clam AV says Win.Trojan.Toa-5370234-0 in omni.ja -- real threat or false positive -- how know?

Post by karlchen » Sun Dec 25, 2016 9:59 am

Doing as WharfRat tells on my system yields these results:

Code: Select all

karl@unimatrix0 ~ $ md5sum /usr/lib/firefox/omni.ja
72eb6649a695ba1d301ec720c3dfd8ff  /usr/lib/firefox/omni.ja

karl@unimatrix0 ~ $ grep omni.ja /var/lib/dpkg/info/firefox.md5sums
9d78553b0810119b2d9298a12742474f  usr/lib/firefox/browser/omni.ja
72eb6649a695ba1d301ec720c3dfd8ff  usr/lib/firefox/omni.ja
karl@unimatrix0 ~ $ 
So on my system WharfRat's steps confirm what Virustotal had already suggested: ClamAV falsely flags the file as a Windows trojan.
Image
Old bugs good, new bugs bad! Updates are evil: might fix old bugs and introduce no new ones.

Mute Ant
Level 13
Level 13
Posts: 4837
Joined: Tue Sep 03, 2013 7:45 pm

Re: <Solved> Clam AV says Win.Trojan.Toa-5370234-0 in omni.ja -- real threat or false positive -- how know?

Post by Mute Ant » Sun Dec 25, 2016 1:07 pm

Code: Select all

### Checksum the installed firefox files...
    debsums firefox
Reports of 'OK' means your system's version matches the repository version. If it's malware, lots of other people will have the same problem.
Now 3 days pass, deep impression to me is the new system is a huge memory greedy.

turtlebay
Level 5
Level 5
Posts: 590
Joined: Mon Apr 01, 2013 12:33 pm

Re: <Solved> Clam AV says Win.Trojan.Toa-5370234-0 in omni.ja -- real threat or false positive -- how know?

Post by turtlebay » Sun Dec 25, 2016 10:14 pm

May I suggest you now delete Clam completely if you are only running Linux. It's only use is in scanning individual files that are going to be used in a Windows operating system. I quite understand those coming from Windows thinking they need an anti virus program and their need to spend half their working day on housekeeping, like they were used to doing with MS, but you don't need any housekeeping with Linux, I promise!

User avatar
jimallyn
Level 18
Level 18
Posts: 8116
Joined: Thu Jun 05, 2014 7:34 pm
Location: Wenatchee, WA USA

Re: <Solved> Clam AV says Win.Trojan.Toa-5370234-0 in omni.ja -- real threat or false positive -- how know?

Post by jimallyn » Mon Dec 26, 2016 1:01 am

On Pjotr's Easy Linux Tips Project site, he recommends that you NOT use any antivirus, and I think most of the experienced Linux users here agree with him. I have been using Linux (with no antivirus) on all my computers for 14 years, and in that time, none of my Linux computers have ever been infected with any virus or malware, nor has the computer of any Linux user that I know. (And having been a moderator/admin on several Linux forums for most of that time, I know a LOT of Linux users!) I won't say that it's impossible to get a virus on Linux, I've just never heard of it happening.

https://sites.google.com/site/easylinux ... t/security
Image

“If the government were coming for your TVs and cars, then you'd be upset. But, as it is, they're only coming for your sons.” - Daniel Berrigan

turtlebay
Level 5
Level 5
Posts: 590
Joined: Mon Apr 01, 2013 12:33 pm

Re: <Solved> Clam AV says Win.Trojan.Toa-5370234-0 in omni.ja -- real threat or false positive -- how know?

Post by turtlebay » Mon Dec 26, 2016 9:59 am

As Linux users make up only about 2% of the population, virus makers aim for the mass market, ie Windows, as their chances of making a 'hit' are far more likely to get a result.
Also, as Linux always requires a password before any program is allowed to make changes to the system, no sane person would encourage a virus to take over.

User avatar
Fred Barclay
Level 12
Level 12
Posts: 4126
Joined: Sat Sep 13, 2014 11:12 am
Location: Bumping around in the bush

Re: <Solved> Clam AV says Win.Trojan.Toa-5370234-0 in omni.ja -- real threat or false positive -- how know?

Post by Fred Barclay » Mon Dec 26, 2016 11:40 am

turtlebay wrote:As Linux users make up only about 2% of the population, virus makers aim for the mass market, ie Windows, as their chances of making a 'hit' are far more likely to get a result.
Also, as Linux always requires a password before any program is allowed to make changes to the system, no sane person would encourage a virus to take over.
I quite agree with your earlier statement about the uselessness of antivirus on Linux, but I would like to point out that "Linux users are only 2% of total"-security-through-obscurity model isn't quite right.
Yes, Linux desktop use is a very small amount (1.7-5% are the estimates I usually here) and if this was the sole use of Linux, then almost no one would bother targeting Linux users.

But in real life, Linux and Unix are also used to power most of the internet and control billions of dollars/euros/yen. There's plenty of motivation to hack Linux. :mrgreen: IMHO, the crackers aren't aiming for Windows because it's the "mass market", but because it's much easier to hit than Linux, even if the reward is less.
Image
"Once you can accept the universe as matter expanding into nothing that is something, wearing stripes with plaid comes easy."
- Albert Einstein

NickGordon
Level 1
Level 1
Posts: 1
Joined: Tue Dec 27, 2016 3:10 pm

Re: <Solved> Clam AV says Win.Trojan.Toa-5370234-0 in omni.ja -- real threat or false positive -- how know?

Post by NickGordon » Tue Dec 27, 2016 3:14 pm

Does anyone have access to the Clam AV signature to ascertain what this FP is hitting on? Is it a weak sig just looking for omni.ja files or md5, file path etc.?

Post Reply

Return to “Newbie Questions”