-1

I used clamtk to scan and in var/lib/clamav/tmp file Html.Trojan.CobaltStrike was found.

What do i fo with the file it found? It is not a PUA

It looks like it is inside the directory file itself. So is it meant to be there, ie is it just a clamav database signature and would deleting it not be a good idea?

I would appreciate some advice in how to know if its an actual trojan and not a false positive, or a file thats meant to ne there. And what to do next, should i quarantine it/ delete it, or do nothing with it?

papercup
  • 21
  • you asked a similar question in May 2021 about clamtk I think tjhe answer then still applies now to this question where you were told "Please remove it (ClamTK) as it is totally useless unless you want to use it to scan windows files" – graham Jul 22 '25 at 12:49
  • Do you mean remove the clamav/tk programme or the virus? im not techy enough to run scans using clamav so its why i use tk. But has it found a trojan? – papercup Jul 22 '25 at 12:57
  • 1
    did you read my comment and did you read the comments in your previous question? For clarity here it is again clamtk is lying to you. See the WIN in the notification. It assumes you are using WINdows. Please remove it as it is totally useless unless you want to use it to scan windows files. "how much they are compromising the security of my system." =zero=. It is absolutely insane to scan a Linux system using WINDOWS rules. Never going to work. Oh and there are currently ZERO active virusses for Linux. Malware, rootkits sure but no virusses. – Rinzwind Commented May 12, 2021 at 12:35 – graham Jul 22 '25 at 13:00
  • Im sorry, i do have learning disabilities. Clamav is often recommended for use on ubuntu, I will try to find a better alternative for scanning. Is it flagging up something as a trojan nothing to worry about then? – papercup Jul 22 '25 at 13:10
  • This too was addressed in your previous question's answer linked to here. I suggest you re-read it. This is not a forum in which dialogue exchanges are encouraged. – graham Jul 22 '25 at 13:15
  • But finding a trojan is a different situation from ky previous question. This isnt a PUA in a cache file but a trojan in system folders. My question is is this something which needs to be quarentined/ deleted or is it something in the clamav database file that is meant to be there? – papercup Jul 22 '25 at 13:21
  • @graham I don't understand why you keep telling the OP to read some random old comment. In that specific case, the file was indeed a Windows trojan. This does not have the WIN string, so it is a different situation. In any case, the OP is clearly having trouble understanding what you are saying, and they mentioned they have learning disabilities, so I really struggle to think why you believe that saying the same thing in bold would magically make it helpful. – terdon Jul 22 '25 at 13:31
  • Thank you. Ive edited my question to be more precise about the information im looking for. – papercup Jul 22 '25 at 13:34
  • 1
    @terdon it was not some random old comment - it was a comment in response to an earlier question by the OP. If he had followed that advice then, this issue might not have occurred. The use of bold was to highlight the bit that seemed relevant to help and guide him through the number of different comments made, nothing more sinister than that. As someone with challenged vision, I find that bold works very well for me and genuinely thought it would be of help to the OP. – graham Jul 22 '25 at 15:27

1 Answers1

1

While ClamAV can scan Windows files and email sttachments, it is useless when applied to Linux. The Unix/Linux system design precludes viruses. We can still do dumb things like CloudFlare, but not Windows viruses.

From the ClamAV website:

ClamAV® is an open-source antivirus engine for detecting trojans, viruses, malware & other malicious threats.

Also from clamav.net:

ClamAV® is the open-source standard for mail gateway-scanning software.

So, unless you are operating a mail gateway, receiving email from the World, and forwarding it to Windows hosts, ClamAV has no benefit for you.

Any effort in getting ClamAV to "scan" a Linux system is wasted, and will produce only false positives.

waltinator
  • 1
  • 3
    "Any effort in getting ClamAV to "scan" a Linux system is wasted, and will produce only false positives.": I have heard this claim very often but I have never seen any actual evidence supporting it. Can you back this up? It may well be true, but without any proof it is just a random statement on the internet. There are several known Trojans and other malware for Linux systems, are you sure that clamAV cannot detect them? – terdon Jul 22 '25 at 13:42
  • So it is more likely that clamav has flagged a signature in its own database rather then a corrupted file? And is deleting it advisable or not necessary? Im a bit stuck as to what needs to be done or how to double check i dont have a cobalt strike tojan. – papercup Jul 22 '25 at 13:59
  • Im still confused as i whether I should delete the file? I understand that clamav thows up false positives. But does it not also detect actual positives? is there another way to check if i have a Trojan using open source? – papercup Jul 22 '25 at 15:50
  • @papercup There seems to be an issue about whether ClamAV is still maintained. This Gitlab resource suggests it is no longer maintained and so the original advice you were provided in 2021 to remove ClamAV seems as relevant.as ever and as outlined by waltinator. – graham Jul 22 '25 at 16:21
  • I too had false positives reported frequently and so removed it from my 2 Ubuntu 22.04 instances and didn't bother to install it on my Debian 12 daily driver with no ill effect. – graham Jul 22 '25 at 16:27
  • Yes, i think will look into removing clamav. In the meantime, what action should i take with the file marked as a Trojan? Should i delete it, quarantine it or do nothing with it? Im not sure what it is or why its there. – papercup Jul 22 '25 at 16:41
  • Im a bit stuck on the clamtk prompt to quarantine/delete the file. Could anyone advise what i should do with the file. I will look into removing the program but still confused as to what this file could be ad what action to take with it. – papercup Jul 22 '25 at 17:54
  • Investigate the file with file, less, od -bc, readelf. Decide for yourself. Since the file seems to be part of ClamAV, I wouldn't worry. – waltinator Jul 22 '25 at 18:46
  • 1
    @terdon For each of the millions of Windows viruses, examine how the virus "infects" a Windows system. Unix/Linux doesn't "do things" that way, and doesn't have that vulnerability. Unix/Linux places more capabilities in the hands of the developer, so she can do more, unlike DOS/Windows, which requires hacks, leading to vulnerabilities. I remember TSR (Terminate and Stay Resident) from DOS/Windows. Unix/Linux offers a way to add functionality (compilers, editors, graphics tools, device drivers, filesystems, ...) without subverting the system. – waltinator Jul 22 '25 at 19:03
  • 1
    @waltinator why should I investigate? I'm not making any claims. And note that this is about a Trojan, not a generic virus. Don't get me wrong, I think your answer is correct, but since it isn't substantiated by any references, it's just the random musings of a faceless internet user. – terdon Jul 22 '25 at 19:28
  • @terdon Investigate to determine exactly what the file is, in order to help you determine future actions you take with respect to the file. – waltinator Jul 22 '25 at 21:03
  • @papercup As you have asked and in the spirit of helpfulness you may find this guide on how to remove ClamTK helpful. – graham Jul 23 '25 at 09:06