Mailing List ArchivesAuthenticated access |
![[Computer Systems Lab]](http://www.cs.wisc.edu/pics/csl_logo.gif){kind=logo}
|
Mailing List ArchivesAuthenticated access |
|
|
ÂI have rebuilt HTCondor on a fresh Ubuntu14 installation, I checked the signatures and checksums. I am confident that this is a false positive. This particular executable is only used to determine standard
universe support. If Dr. Web deletes this file, most of HTCondor
will continue to work properly. ...Tim On 11/14/2016 11:36 AM, Aaron Moate
wrote:
It seems I was unable to extract the file in question because drweb was deleting it as soon as it was written. "condor_ckpt_probe" is indeed the specific file it's alerting on. We ran drweb's scan against a release that is two years old (before Mirai was discovered). The scan showed positive: [moate@localhost ~]$ sudo drweb-ctl scan condor-8.2.3-274619-ubuntu_14.04_amd64.deb /home/moate/condor-8.2.3-274619-ubuntu_14.04_amd64.deb//data.tar.gz//gziped.gz//./usr/lib/condor/libexec/condor_ckpt_probe - infected with Linux.Mirai.54 Scanned objects: 1, scan errors: 0, threats found: 1, threats neutralized: 0. Scanned 31907.75 KB in 5.87 s with speed 5432.03 KB/s. So right now it's looking like a false positive. We're working at getting more exact verification. Cheers, Aaron Moate CHTC Infrastructure Team On Sat, Nov 12, 2016 at 08:12:05AM +0100, Benjamin LIPERE wrote:So i am not really surprised. Thanks for the confirmation. Le 12 nov. 2016 08:11, "Benjamin LIPERE" <[1]benjamin.lipere123@xxxxxxxxx> a ïcrit : Yep. Drweb is a very good antivirus. For me, sometime, i can't finish the download. Also, it is the easiest one for HPC cluster. Le 12 nov. 2016 05:53, "Aaron Moate" <[2]wiscmoate@xxxxxxxxx> a ïcrit : I got drweb working on the 32-bit EL6 BaTLab platform, and it does indeed seem to think that condor_8.4.9-382747-ubuntu14_amd64.deb is a threat, specifically the usr/lib/condor/libexec/condor_ckpt_probe file inside. I tried to extract the file uzing xzcat and tar, but for some reason have been unable to so far, even though strace claims it's being written to disk. [moate@localhost ~]$ drweb-ctl -d scan condor_8.4.9-382747-ubuntu14_amd64.deb Debug: Use ConfigD public socket "/var/run/.com.drweb.public" Debug: ConfigD <-- GET_FCHECK_REQUEST uid=10006 Debug: ConfigD --> GET_FCHECK_RESPONSE: OK Debug: Use FileCheck socket "/var/run/.com.drweb.fcheck/10006" Debug: ConfigD <-- MY_INFO_NOTIFICATION Debug: FileCheck <-- SUBSCRIBE_TO_SCAN_INFO Debug: FileCheck <-- START_SCAN_REQUEST Debug: FileCheck --> SCAN_INFO_NOTIFICATION () Debug: FileCheck --> START_SCAN_RESPONSE 15 Debug: FileCheck --> SCAN_INFO_NOTIFICATION (15:SCAN_STATE_PENDING) Debug: FileCheck --> SCAN_INFO_NOTIFICATION (15:SCAN_STATE_RUNNING) Debug: FileCheck --> SCAN_INFO_NOTIFICATION (15:SCAN_STATE_FINISHED Success) Info: /home/moate/condor_8.4.9-382747-ubuntu14_amd64.deb//data.tar.xz//xz//./usr/lib/condor/libexec/condor_ckpt_probe - infected with Linux.Mirai.54 Debug: Scan finished: Success Info: Scanned objects: 1, scan errors: 0, threats found: 1, threats neutralized: 0. Info: Scanned 20082.08 KB in 8.49 s with speed 2364.55 KB/s. [moate@localhost ~]$ mkdir -p data [moate@localhost ~]$ cd data [moate@localhost data]$ xzcat ../data.tar.xz | tar xv ./usr/lib/condor/libexec/condor_ckpt_probe ./usr/lib/condor/libexec/condor_ckpt_probe [moate@localhost data]$ ls -al ./usr/lib/condor/libexec/condor_ckpt_probe ls: cannot access ./usr/lib/condor/libexec/condor_ckpt_probe: No such file or directory Aaron Moate CHTC Infrastructure Team -- Tim Theisen Release Manager HTCondor & Open Science Grid Center for High Throughput Computing Department of Computer Sciences University of Wisconsin - Madison 4261 Computer Sciences and Statistics 1210 W Dayton St Madison, WI 53706-1685 +1 608 265 5736 |