Gregecslo 8 Posted March 20, 2022 Share Posted March 20, 2022 Hi. I updated one of my linux servers to 9.0.174.0 Now other security vendor installed on same linux server flagged scand (/opt/eset/efs/lib/scand) as malware. /opt/eset/efs/lib/scand; SHA265: d24beb9d51c93a497508d99605bd60d3bec3152cf115ee002a0edd78fdd2893c VT: https://www.virustotal.com/gui/file/d24beb9d51c93a497508d99605bd60d3bec3152cf115ee002a0edd78fdd2893c Note: I don`t use elastic, but it detected something in above VT link. Question: Is /opt/eset/efs/lib/scand; SHA265: d24beb9d51c93a497508d99605bd60d3bec3152cf115ee002a0edd78fdd2893c legit ESET file? Thanks! Link to comment Share on other sites More sharing options...
Administrators Solution Marcos 5,406 Posted March 20, 2022 Administrators Solution Share Posted March 20, 2022 FP. The yara rule matched the EICAR test string in the raw form in the ELF file, in section .rodata. No further conditions are defined in the rule: However, the definition of the EICAR test file reads: Any anti-virus product that supports the EICAR test file should detect it in any file providing that the file starts with the following 68 characters, and is exactly 68 bytes long: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* Link to comment Share on other sites More sharing options...
Gregecslo 8 Posted March 20, 2022 Author Share Posted March 20, 2022 But its legit file: SHA265: d24beb9d51c93a497508d99605bd60d3bec3152cf115ee002a0edd78fdd2893c ? I can`t find file list and their hashes... Link to comment Share on other sites More sharing options...
Gregecslo 8 Posted March 20, 2022 Author Share Posted March 20, 2022 But its legit file: SHA265: d24beb9d51c93a497508d99605bd60d3bec3152cf115ee002a0edd78fdd2893c ? I can`t find file list and their hashes... Sorry, just downloaded installer and extracted, file hashes match. Link to comment Share on other sites More sharing options...
Recommended Posts