Saturday, December 17, 2016

security - Should I be worried about a possible threat?



I recently installed Ubuntu 12.10. I use Clamav and have scanned my system regularly for infections. Today it picked up a potential threat
/usr/lib/ruby/1.9.1/rdoc/generator/template/darkfish/js/thickbox-compressed.js.

Ubuntu is my only operating system installed. Clamav was not able to delete or quarantine the file.
Should i be concerned or is this a false positive? I have scanned the same file multiple times and it picks it up as a threat each time. Also i tried googling the issue before posting and found no information.



A point I forgot to mention, clamav picks it up as PUA.script.packed-1



That file seems to belong to package libruby1.9.1, which should be installed when you installed Ruby.



If that package comes from the default repositories I guess that warning should be nothing to you worry about. If it comes from a PPA then you should take a closer look.



To see from where the package comes you can use apt-cache. From my system:




$ apt-cache policy libruby1.9.1
libruby1.9.1:
Installed: (none) <-- This shows the installed version (not installed on my case)
Candidate: 1.9.3.0-1ubuntu2.5
Version table:
1.9.3.0-1ubuntu2.5 0
500 http://pt.archive.ubuntu.com/ubuntu/ precise-updates/main amd64 Packages
500 http://security.ubuntu.com/ubuntu/ precise-security/main amd64 Packages
1.9.3.0-1ubuntu1 0

500 http://pt.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages


Also consider checking that file in an online scanner like VirusTotal. If only clamav marks it as a potencially threath probably it is a false positive.


No comments:

Post a Comment

11.10 - Can&#39;t boot from USB after installing Ubuntu

I bought a Samsung series 5 notebook and a very strange thing happened: I installed Ubuntu 11.10 from a usb pen drive but when I restarted (...