You are Here:
Linux Lite 4.6 Final has been released. See the Release Announcements section for more information.



SECURITY SOPHOS - reported infection - False positive??

Author (Read 2528 times)

0 Members and 1 Guest are viewing this topic.

SECURITY SOPHOS - reported infection - False positive??
« on: April 10, 2017, 05:47:14 PM »
 

newtusmaximus

  • Gold Level Poster
  • *******
  • 645
    Posts
  • Country: gb
  • Reputation: 67
  • Paypal Supporter.

  • Linux Lite: 3.6 64bit

  • CPU: Intel Core duo 6300 1.86GHz

  • MEMORY: 4Gb

  • VIDEO CARD: Intel 82Q963/Q965
"2017-04-10 21:11:41: savscan.log           On-demand scan details: master boot records scanned: 0, boot records scanned: 0, files scanned: 62838, scan errors: 165, threats detected: 1, infected files detected: 1
2017-04-10 21:11:41: log.threat            Threat detected in /usr/bin/lite-info: Linux/EncPk-BE during on-demand scan. (The file is still infected.)
2017-04-10 21:11:42: savscan.log           On-demand scan finished.!

First time running Sophos . savscan /     to scan all content.    Purpose to ensure any files I forward to colleagues are not infected - Files may have been created/sourced from non secure sources /pcs

This report came up.  Unsure of its relevance?
Advice/thoughts appreciated

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Linux~EncPk-BE.aspx

UPDATE

In attempt to remove "threat"  witn "savscan -remove" SOPHOS is asking whether "Proceed with removal of /usr/bin/lite-info ([Y]es/[N]o/[A]ll) ? No"
I presume this suggesting the removal of the whole lite-info??   In doing so what effect would that have on the rest of the LL3.2 64 bit operating system on this pc??

FURTHER UPDATE
The above information is from a scan of my desktop HPdc7700p  running what was LL3.2 64 bit and this morning upgraded to 3.4 64 bit.  Virus still detected after this morning's upgrade.

I have this morning loaded SOPHOS  onto the family Fuji si1520 and done a full scan with latest virus library.
Again the same outcome      "Threat detected in /usr/bin/lite-info: Linux/EncPk-BE during on-demand scan

Removal of this "threat" on the  Fuji Si1520 failed using " sudo savscan / -remove"

UPDATE
Second attempt at removing threat on the Fuji Si1520 was successful . Resulted in removal of the lit-info file - Will see what adverse effect the removal of the file has on the further running of LL3.4 64bit on that machine.  Removal of the file was chosen as an alternative to disinfection as the latter would not have repaired any "infected" area of that file.

 This morning loaded SOPHOS onto the Fuji3405 machine  (running LL3.4 32 bit) , updated virus library and "sudo savscan / "   No virus detected

SUMMARY - Virus detected in lite-info file on both of the LL3.4 64 bit machines -  Not aware that any files have been shared between the two machine - although there might have been.     Things in common.  Both machines upgraded with additional ram  and LL3.2 64bit iso (downloaded   24/03/2017) and burned onto DVD used.  Both systems subsequently upgraded to LL3.4 64bit  Looking further for any other common factors - software downloads etc


Urgent help please on significance of findings, and any ideas as to where from the "infection" originated   Thank you
Last Edit: April 11, 2017, 09:32:19 AM by newtusmaximus
2006 - HP DC7700p ultraslim Desktop Intel 6300 cpu  4GB Ram LL3.6 64bit.
2007 - Fujitsu Siemens V3405 Laptop  2 GB Ram LL3.6 32bit. Now 32bit Debian 9 + nonfree.
2006 - Fujitsu Siemens Si1520 Laptop Intel T720 cpu 3GB Ram LL4.6 64bit
2003 - RETIRED Toshiba Satellite Pro A10 1 GB RAM LL2.8 32bit
 


Re: SECURITY SOPHOS - reported infection - False positive??
« Reply #1 on: April 11, 2017, 09:20:42 AM »
 

newtusmaximus

  • Gold Level Poster
  • *******
  • 645
    Posts
  • Country: gb
  • Reputation: 67
  • Paypal Supporter.

  • Linux Lite: 3.6 64bit

  • CPU: Intel Core duo 6300 1.86GHz

  • MEMORY: 4Gb

  • VIDEO CARD: Intel 82Q963/Q965
Further information added to the original post. 
Urgent help appreciated. Tks
2006 - HP DC7700p ultraslim Desktop Intel 6300 cpu  4GB Ram LL3.6 64bit.
2007 - Fujitsu Siemens V3405 Laptop  2 GB Ram LL3.6 32bit. Now 32bit Debian 9 + nonfree.
2006 - Fujitsu Siemens Si1520 Laptop Intel T720 cpu 3GB Ram LL4.6 64bit
2003 - RETIRED Toshiba Satellite Pro A10 1 GB RAM LL2.8 32bit
 

Re: SECURITY SOPHOS - reported infection - False positive??
« Reply #2 on: April 11, 2017, 09:29:35 AM »
 

Jerry

  • Linux Lite Creator
  • Administrator
  • Platinum Level Poster
  • *****
  • 7017
    Posts
  • Country: nz
  • Reputation: 651
  • Linux Lite Member
    • Linux Lite OS

  • Linux Lite: 3.8 64bit

  • CPU: Intel Xeon Dual CPU's E5645 2.4GHz 12 Cores

  • MEMORY: 16Gb

  • VIDEO CARD: nVidia GeForce GTX 960
lite-info is an encrypted binary that we provide a.k.a. Menu, System, Share Hardware Configuration. It's a false-positive, do not remove it.
 

Re: SECURITY SOPHOS - reported infection - False positive??
« Reply #3 on: April 11, 2017, 09:36:26 AM »
 

newtusmaximus

  • Gold Level Poster
  • *******
  • 645
    Posts
  • Country: gb
  • Reputation: 67
  • Paypal Supporter.

  • Linux Lite: 3.6 64bit

  • CPU: Intel Core duo 6300 1.86GHz

  • MEMORY: 4Gb

  • VIDEO CARD: Intel 82Q963/Q965
Tks Jerry.
Good to hear re false positive. 
However question: Why did not Lite-info flag up  a false positive on the Sophos scan of the V3405 laptop running LL3.4 32bit??
Last Edit: April 11, 2017, 04:35:22 PM by newtusmaximus
2006 - HP DC7700p ultraslim Desktop Intel 6300 cpu  4GB Ram LL3.6 64bit.
2007 - Fujitsu Siemens V3405 Laptop  2 GB Ram LL3.6 32bit. Now 32bit Debian 9 + nonfree.
2006 - Fujitsu Siemens Si1520 Laptop Intel T720 cpu 3GB Ram LL4.6 64bit
2003 - RETIRED Toshiba Satellite Pro A10 1 GB RAM LL2.8 32bit
 

Re: SECURITY SOPHOS - reported infection - False positive??
« Reply #4 on: April 11, 2017, 09:39:11 AM »
 

Jerry

  • Linux Lite Creator
  • Administrator
  • Platinum Level Poster
  • *****
  • 7017
    Posts
  • Country: nz
  • Reputation: 651
  • Linux Lite Member
    • Linux Lite OS

  • Linux Lite: 3.8 64bit

  • CPU: Intel Xeon Dual CPU's E5645 2.4GHz 12 Cores

  • MEMORY: 16Gb

  • VIDEO CARD: nVidia GeForce GTX 960
Your guess is as good as mine.
 

Re: SECURITY SOPHOS - reported infection - False positive??
« Reply #5 on: April 11, 2017, 10:13:22 AM »
 

newtusmaximus

  • Gold Level Poster
  • *******
  • 645
    Posts
  • Country: gb
  • Reputation: 67
  • Paypal Supporter.

  • Linux Lite: 3.6 64bit

  • CPU: Intel Core duo 6300 1.86GHz

  • MEMORY: 4Gb

  • VIDEO CARD: Intel 82Q963/Q965
My guess woud be a lot wilder than yours :) and far less informed!!
2006 - HP DC7700p ultraslim Desktop Intel 6300 cpu  4GB Ram LL3.6 64bit.
2007 - Fujitsu Siemens V3405 Laptop  2 GB Ram LL3.6 32bit. Now 32bit Debian 9 + nonfree.
2006 - Fujitsu Siemens Si1520 Laptop Intel T720 cpu 3GB Ram LL4.6 64bit
2003 - RETIRED Toshiba Satellite Pro A10 1 GB RAM LL2.8 32bit
 

Re: SECURITY SOPHOS - reported infection - False positive??
« Reply #6 on: April 11, 2017, 10:21:57 AM »
 

Jerry

  • Linux Lite Creator
  • Administrator
  • Platinum Level Poster
  • *****
  • 7017
    Posts
  • Country: nz
  • Reputation: 651
  • Linux Lite Member
    • Linux Lite OS

  • Linux Lite: 3.8 64bit

  • CPU: Intel Xeon Dual CPU's E5645 2.4GHz 12 Cores

  • MEMORY: 16Gb

  • VIDEO CARD: nVidia GeForce GTX 960
Out of curiosity, what is the result of:

Code: [Select]
md5sum /usr/bin/lite-info
(providing you haven't removed that file)
 

Re: SECURITY SOPHOS - reported infection - False positive??
« Reply #7 on: April 11, 2017, 10:37:58 AM »
 

newtusmaximus

  • Gold Level Poster
  • *******
  • 645
    Posts
  • Country: gb
  • Reputation: 67
  • Paypal Supporter.

  • Linux Lite: 3.6 64bit

  • CPU: Intel Core duo 6300 1.86GHz

  • MEMORY: 4Gb

  • VIDEO CARD: Intel 82Q963/Q965
Can't get at the file on the HPdc7700p as it has been quarantined by SOPHOS.    Concerned about this desktop as it is used daily, and steady input/output of files to/from colleagues.

Did remove the file ( prior to your instruction to do otherwise) on family laptop fujiSi1520  (Ll3.4 64bit).      Once I have recorded all the software added, Intend to reinstall from the 3.2 64bit DVD originally used, load SOPHOS and retrace steps to see if I can duplicate the problem and try an identify what triggered it??

As they say "watch this space".
Last Edit: April 11, 2017, 12:17:16 PM by newtusmaximus
2006 - HP DC7700p ultraslim Desktop Intel 6300 cpu  4GB Ram LL3.6 64bit.
2007 - Fujitsu Siemens V3405 Laptop  2 GB Ram LL3.6 32bit. Now 32bit Debian 9 + nonfree.
2006 - Fujitsu Siemens Si1520 Laptop Intel T720 cpu 3GB Ram LL4.6 64bit
2003 - RETIRED Toshiba Satellite Pro A10 1 GB RAM LL2.8 32bit
 

Re: SECURITY SOPHOS - reported infection - False positive??
« Reply #8 on: April 11, 2017, 11:03:34 AM »
 

Scott

  • Global Moderator
  • Gold Level Poster
  • *****
  • 858
    Posts
  • Country: 00
  • Reputation: 186
  • Linux Lite Member

  • Linux Lite: 3.4 64bit

  • CPU: Dual core Intel Core i3 M 330

  • MEMORY: 6Gb

  • VIDEO CARD: Intel Integrated Graphics
I submitted the file (/usr/bin/lite-info) to VirusTotal - out of 56 antivirus engines only *one* (Sophos) claims it's a problem and clicking the Sophos link doesn't yield that much information.

My scan
https://www.virustotal.com/en/file/ee61e9c7f13b355ad6c6f90a9c5153ef99b80eedc6807fdb88b581522e985fe6/analysis/1491921590/

If the above link doesn't work any longer you can create a new scan here
https://www.virustotal.com/
 

Re: SECURITY SOPHOS - reported infection - False positive??
« Reply #9 on: April 11, 2017, 04:34:00 PM »
 

newtusmaximus

  • Gold Level Poster
  • *******
  • 645
    Posts
  • Country: gb
  • Reputation: 67
  • Paypal Supporter.

  • Linux Lite: 3.6 64bit

  • CPU: Intel Core duo 6300 1.86GHz

  • MEMORY: 4Gb

  • VIDEO CARD: Intel 82Q963/Q965
Have retraced steps using Fuji Si1520.

Fresh install of LL3.2 64bit from dvd iso originally downloaded 24/03/2017  MDSUM checked..  No updates installed. No additional software added by any route.
Language set to UK English and Keyboard to Fujitsu Amilo.
Sophos downloaded and updated and full scan "savscan /"

Sophos detected Virus in Lite-info.    As reported  above previously.
Could not do md5sum on lite-info as quarantined.

So??  False positive??

Full Terminal record available if needed.
Last Edit: April 11, 2017, 04:52:43 PM by newtusmaximus
2006 - HP DC7700p ultraslim Desktop Intel 6300 cpu  4GB Ram LL3.6 64bit.
2007 - Fujitsu Siemens V3405 Laptop  2 GB Ram LL3.6 32bit. Now 32bit Debian 9 + nonfree.
2006 - Fujitsu Siemens Si1520 Laptop Intel T720 cpu 3GB Ram LL4.6 64bit
2003 - RETIRED Toshiba Satellite Pro A10 1 GB RAM LL2.8 32bit
 


Tags:
 


Linux Lite 4.6 Final has been released. See the Release Announcements section for more information.