Linux Lite Forums

General => Security & Bug Fixes => Topic started by: newtusmaximus on April 10, 2017, 05:47:14 PM

Title: SECURITY SOPHOS - reported infection - False positive??
Post by: newtusmaximus on April 10, 2017, 05:47:14 PM
"2017-04-10 21:11:41: savscan.log           On-demand scan details: master boot records scanned: 0, boot records scanned: 0, files scanned: 62838, scan errors: 165, threats detected: 1, infected files detected: 1
2017-04-10 21:11:41: log.threat            Threat detected in /usr/bin/lite-info: Linux/EncPk-BE during on-demand scan. (The file is still infected.)
2017-04-10 21:11:42: savscan.log           On-demand scan finished.!

First time running Sophos . savscan /     to scan all content.    Purpose to ensure any files I forward to colleagues are not infected - Files may have been created/sourced from non secure sources /pcs

This report came up.  Unsure of its relevance?
Advice/thoughts appreciated

https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Linux~EncPk-BE.aspx (https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Linux~EncPk-BE.aspx)

UPDATE

In attempt to remove "threat"  witn "savscan -remove" SOPHOS is asking whether "Proceed with removal of /usr/bin/lite-info ([Y]es/[N]o/[A]ll) ? No"
I presume this suggesting the removal of the whole lite-info??   In doing so what effect would that have on the rest of the LL3.2 64 bit operating system on this pc??

FURTHER UPDATE
The above information is from a scan of my desktop HPdc7700p  running what was LL3.2 64 bit and this morning upgraded to 3.4 64 bit.  Virus still detected after this morning's upgrade.

I have this morning loaded SOPHOS  onto the family Fuji si1520 and done a full scan with latest virus library.
Again the same outcome      "Threat detected in /usr/bin/lite-info: Linux/EncPk-BE during on-demand scan (https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Linux%7EEncPk-BE.aspx)

Removal of this "threat" on the  Fuji Si1520 failed using " sudo savscan / -remove"

UPDATE
Second attempt at removing threat on the Fuji Si1520 was successful . Resulted in removal of the lit-info file - Will see what adverse effect the removal of the file has on the further running of LL3.4 64bit on that machine.  Removal of the file was chosen as an alternative to disinfection as the latter would not have repaired any "infected" area of that file.

 This morning loaded SOPHOS onto the Fuji3405 machine  (running LL3.4 32 bit) , updated virus library and "sudo savscan / "   No virus detected

SUMMARY - Virus detected in lite-info file on both of the LL3.4 64 bit machines -  Not aware that any files have been shared between the two machine - although there might have been.     Things in common.  Both machines upgraded with additional ram  and LL3.2 64bit iso (downloaded   24/03/2017) and burned onto DVD used.  Both systems subsequently upgraded to LL3.4 64bit  Looking further for any other common factors - software downloads etc


Urgent help please on significance of findings, and any ideas as to where from the "infection" originated   Thank you
Title: Re: SECURITY SOPHOS - reported infection - False positive??
Post by: newtusmaximus on April 11, 2017, 09:20:42 AM
Further information added to the original post. 
Urgent help appreciated. Tks
Title: Re: SECURITY SOPHOS - reported infection - False positive??
Post by: Jerry on April 11, 2017, 09:29:35 AM
lite-info is an encrypted binary that we provide a.k.a. Menu, System, Share Hardware Configuration. It's a false-positive, do not remove it.
Title: Re: SECURITY SOPHOS - reported infection - False positive??
Post by: newtusmaximus on April 11, 2017, 09:36:26 AM
Tks Jerry.
Good to hear re false positive. 
However question: Why did not Lite-info flag up  a false positive on the Sophos scan of the V3405 laptop running LL3.4 32bit??
Title: Re: SECURITY SOPHOS - reported infection - False positive??
Post by: Jerry on April 11, 2017, 09:39:11 AM
Your guess is as good as mine.
Title: Re: SECURITY SOPHOS - reported infection - False positive??
Post by: newtusmaximus on April 11, 2017, 10:13:22 AM
My guess woud be a lot wilder than yours :) and far less informed!!
Title: Re: SECURITY SOPHOS - reported infection - False positive??
Post by: Jerry on April 11, 2017, 10:21:57 AM
Out of curiosity, what is the result of:

Code: [Select]
md5sum /usr/bin/lite-info
(providing you haven't removed that file)
Title: Re: SECURITY SOPHOS - reported infection - False positive??
Post by: newtusmaximus on April 11, 2017, 10:37:58 AM
Can't get at the file on the HPdc7700p as it has been quarantined by SOPHOS.    Concerned about this desktop as it is used daily, and steady input/output of files to/from colleagues.

Did remove the file ( prior to your instruction to do otherwise) on family laptop fujiSi1520  (Ll3.4 64bit).      Once I have recorded all the software added, Intend to reinstall from the 3.2 64bit DVD originally used, load SOPHOS and retrace steps to see if I can duplicate the problem and try an identify what triggered it??

As they say "watch this space".
Title: Re: SECURITY SOPHOS - reported infection - False positive??
Post by: Scott on April 11, 2017, 11:03:34 AM
I submitted the file (/usr/bin/lite-info) to VirusTotal - out of 56 antivirus engines only *one* (Sophos) claims it's a problem and clicking the Sophos link doesn't yield that much information.

My scan
https://www.virustotal.com/en/file/ee61e9c7f13b355ad6c6f90a9c5153ef99b80eedc6807fdb88b581522e985fe6/analysis/1491921590/

If the above link doesn't work any longer you can create a new scan here
https://www.virustotal.com/
Title: Re: SECURITY SOPHOS - reported infection - False positive??
Post by: newtusmaximus on April 11, 2017, 04:34:00 PM
Have retraced steps using Fuji Si1520.

Fresh install of LL3.2 64bit from dvd iso originally downloaded 24/03/2017  MDSUM checked..  No updates installed. No additional software added by any route.
Language set to UK English and Keyboard to Fujitsu Amilo.
Sophos downloaded and updated and full scan "savscan /"

Sophos detected Virus in Lite-info.    As reported  above previously.
Could not do md5sum on lite-info as quarantined.

So??  False positive??

Full Terminal record available if needed.