When quarantine two or more malware at the same name it will appear as one malware

dave-theunsub / clamtk

An easy to use, light-weight, on-demand virus scanner for Linux systems

https://gitlab.com/dave_m/clamtk/wikis/home

Other

359 stars 47 forks source link

When quarantine two or more malware at the same name it will appear as one malware #53

Open AlkindiX opened 8 years ago

AlkindiX commented 8 years ago

I scanned a directory contain two malware at the same name as shown in the history

ClamTk, v5.20
Tue Dec 15 16:55:27 2015
ClamAV Signatures: 4158549
Directories Scanned:
/home/mohammed/Downloads
/home/mohammed/GitHub/LOIC/bin/Debug
/home/mohammed/GitHub/LOIC/obj/Debug

Found 2 possible threats (28972 files scanned).

/home/mohammed/GitHub/LOIC/obj/Debug/LOIC.exe      HackTool.DDOS.LOIC-2     
/home/mohammed/GitHub/LOIC/bin/Debug/LOIC.exe      HackTool.DDOS.LOIC-2

The problem is that the two LOIC.exe had been stored as one file on the quarantine of the program

I am using clamTK at Ubuntu 15.10 Wily amd64

dave-theunsub commented 8 years ago

Hi,

Please open a terminal window and type the following:

cat ~/.clamtk/restore

Mine looks like this:

$ cat .clamtk/restore 06f2c2aade7582da82a9b7469eca506d11858dfa10b2491f6fab88a13f33f8ec:/home/dave/test/CVE-2015-1641.gz:664 3ba2e5b32124c208bc1d10e4ea6685b243d98298e0594f93fad6e36b70fa35e9:/home/dave/test/pkg.7z:664

Let's see how they're getting stored for either removal or putting them back.

respectfully Dave M

AlkindiX commented 8 years ago

d15e75ae123cfd0d932f972c747b6169d13f6314c499eb15670f6144cca0c0a1:/home/mohammed/GitHub/LOIC/obj/Debug/LOIC.exe:775

AlkindiX commented 8 years ago

I think both of them at

/home/mohammed/GitHub/LOIC/obj/Debug/LOIC.exe      HackTool.DDOS.LOIC-2     
/home/mohammed/GitHub/LOIC/bin/Debug/LOIC.exe      HackTool.DDOS.LOIC-2

have the same data. I mean the same hash name. I think if you make a random characters is better to quarantine multiple file at the same hash in the quarantine