stacefauske
commented
8 years ago Can you please do a recursive scan in your /boot/efi/ directory and let me know if you find a trojan there as well?
Closed reubenlillie closed 8 years ago
stacefauske
commented
8 years ago Can you please do a recursive scan in your /boot/efi/ directory and let me know if you find a trojan there as well?
reubenlillie
commented
8 years ago Sure!
BOOTx64.EFI was/is the only infected file.
stacefauske
commented
8 years ago Thanks, I'll look further into this. We've been using this file for a little over a year now, and I guess you're the only one who's run a scan on it (or maybe just bothered to report it?). I honestly don't think it's a problem, but I'll definitely be looking further into it. The issue could just be with the way the code is executed inside the efi file that makes the AV think it's a trojan. But I'm doing some testing on it right now.
Has your windows OS been able to boot ok? And can you run a scan on that file from your windows Anti-Virus program?
stacefauske
commented
8 years ago Thanks for helping out on this issue. The problem was that the file was an old version of GRUBx64.EFI and it reported as a Trojan even though it doesn't affect the system. I pulled the most recent GRUBx64.EFI and grubx64.efi from the latest Ubuntu 16.04 and now the scan reports a clean file. I've uploaded it to the git source here and it's included in the latest bodhibuilder_2.2.beta-06.deb on my sourceforge page. Closing issue.
I scanned my full file system (Bodhi 3.2.1) with ClamAV (version 0.98.7) and FOUND a Win.Trojan.Agent-1428496 in /etc/bodhibuilder/uefi/EFI/BOOT/BOOTx64.EFI
Then, just to make sure, I updated my local BOOTx64.EFI with the copy in this repo and repeated the clamscan. The result was the same.