Ask Your Question
1

How do I scan fedora for viruses?

asked 2015-08-03 17:48:00 -0500

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

If I use Vivaldi Browser, my ISP's Norton scan says I have several viruses but if I look for the infecting files/scripts I don't find anything???????

edit retag flag offensive close merge delete

Comments

1

Does it mention any name for the viruses ? can you include a screenshot of the error message

mauriciograciag gravatar imagemauriciograciag ( 2015-08-03 20:08:40 -0500 )edit
1

There are malicious websites that pretend to scan your system, finding numerous infections and trying to force you to download and install an "anti-virus" program that's really malware. You can tell because all of the "infected" files are in places that don't exist under Linux. However, Norton isn't one of them. Just thought you'd want to know in case you ran across one of them.

sideburns gravatar imagesideburns ( 2015-08-03 20:29:53 -0500 )edit

4 Answers

Sort by » oldest newest most voted
1

answered 2015-08-03 20:14:21 -0500

mauriciograciag gravatar image

updated 2015-08-03 20:43:50 -0500

Here are some linux antivirus tools

http://www.eset.com/us/download/home/

https://www.comodo.com/home/internet-...

and here is a review of 6 antivirus review to help you choose

http://www.techgyd.com/5-ways-real-mo...

edit flag offensive delete link more

Comments

That's a great list, but the first link is only Spanish; do you have a link to an English version?

sideburns gravatar imagesideburns ( 2015-08-03 20:27:49 -0500 )edit

I have just updated the answer with this link http://www.eset.com/us/download/home/

mauriciograciag gravatar imagemauriciograciag ( 2015-08-03 20:44:31 -0500 )edit
0

answered 2015-08-04 11:00:11 -0500

BRPocock gravatar image

In addition to / alternative to a reactive method like “anti-virus” scans, there are also proactive methods built into the RPM system.

Corrupted / Infected Files

Realistically, an “actual” Virus™ (as opposed to other forms of malware) is carried by altering a host executable file or library. You can quite easily tell if any of the usual executables or libraries were altered with

 sudo rpm -q --verify --all | egrep -e '/(bin|lib)'

As seen in the resp. manpage, the first columns of this report show the following changes from when the file was installed:

   S file Size differs
   M Mode differs (includes permissions and file type)
   5 digest (formerly MD5 sum) differs
   D Device major/minor number mismatch
   L readLink(2) path mismatch
   U User ownership differs
   G Group ownership differs
   T mTime differs
   P caPabilities differ

The changed digest (5 flag) indicates a change of the contents of the file.

Preserve, and Re-install

I'd suggest backing up the files from the affected package, and re-installing, if you're suspicious of the change: (replacing /usr/bin/foo with the resp. file)

 sudo bsdtar Jcf foo-backup-$(date +%Y-%m-%d).tar.xz $(rpm -ql $(rpm -qf /usr/bin/foo)) 
 sudo dnf reinstall $(rpm -qf /usr/bin/foo --queryformat=%{Name})

Note that bsdtar preserves ACL's, while GNU tar does not.

This will allow you to investigate the changed file(s) in isolation to determine if there was an actual infection, without allowing further damage. You may need/want more “severe” mitigation, depending on your security concerns.

Kernel package

If you're concerned about the kernel as well,

sudo rpm -q --verify kernel-core | grep vmlinu

Strange Programs (eg, Trojans)

What this won't tell you, is if you've downloaded and installed a Trojan Horse program from a repository that you've added. If you only add repositories to DNF from trustworthy sources, that shouldn't be an issue …

Non-repository-installed programs in system directories are also suspicious, or executables in “strange” directories; performing a check for any executable that wasn't installed by the package tools (RPM and its higher-level front-ends)

To scan the entire system for any executable file that was installed by circumventing RPM in some way is nominally:

 LANG=C find / -type f -and -perm /0100 -exec rpm -qf {} \; | grep 'not owned'

… however, there are a few common cases where you might have many “hits” because of (for example) a mock root or a large package like the Google Android SDK that you'd like to filter out, in the hopes that they are trustworthy.

 LANG=C sudo find / -type f -and -perm /0100 -exec rpm -qf {} \; | grep 'not owned' |\
      grep -ve '/var/lib/mock' |\
      grep -ve '/opt/google/android-ndk-r10e/' |\
      tee strange-executables.log

Most of the time (in my experience), the malware to be concerned about are going to be of this form: some user downloaded a binary from some random source and “installed” it into their home directory, not realising that the program had some ulterior purpose. It's ... (more)

edit flag offensive delete link more
0

answered 2015-08-03 22:44:37 -0500

aeperezt gravatar image

ClamaV antivirus is opensource http://www.clamav.net/index.html

edit flag offensive delete link more
0

answered 2015-08-04 05:39:14 -0500

sergiomb gravatar image
clamscan -r /media/disk/
edit flag offensive delete link more

Question Tools

2 followers

Stats

Asked: 2015-08-03 17:48:00 -0500

Seen: 1,839 times

Last updated: Aug 04 '15