# clamav shows a trojan in stage3 2018-07-12 file

## jagdpanther

I down loaded the amd64 stage 3 file 

http://distfiles.gentoo.org/releases/amd64/autobuilds/20180712T214503Z/stage3-amd64-20180712T214503Z.tar.xz for a new system build tomorrow.   I ran 'tar xJf' on that file as a regular user.  (Yes, I expected the /dev/ files to fail.)  

Then I ran 'clamscan -r -i' on the upper most directory and I keep getting one hit:

```
usr/bin/xzdec: Unix.Trojan.Vali-6606621-0 FOUND
```

I am not feeling good about building a new system tomorrow.  Should I wait for another stage3 ?

----------

## Chiitoo

I'm inclined to believe that to be a false positive, but you never know.  :]

For the sake of curiosity, I tested scanning the file too, two times.

First, with a “virus database is older than 7 days” (did not check how old, possibly one month almost exactly), and did not detect anything.

After a 'freshclam', however, I got what you got, so it's rather new what ever it is.

Might submit a suspected false positive report (or to confirm it's indeed bad report).

----------

## Maitreya

https://forum.manjaro.org/t/clamav-detecting-viruses-on-manjaro/52066/13

https://www.linuxquestions.org/questions/showthread.php?p=5878457#post5878457

So it seems a overactive matching pattern is at play (or we are dealing with a massive infection across repositories and distributions, unlikely)

----------

## bunder

FWIW...

```
main.cld is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)

daily.cld is up to date (version: 24751, sigs: 2013133, f-level: 63, builder: neo)

bytecode.cld is up to date (version: 324, sigs: 89, f-level: 63, builder: neo)

```

```
bloomfield ~ # clamscan -i /usr/bin/xzdec

----------- SCAN SUMMARY -----------

Known viruses: 6573260

Engine version: 0.100.1

Scanned directories: 0

Scanned files: 1

Infected files: 0

Data scanned: 0.01 MB

Data read: 0.01 MB (ratio 1.00:1)

Time: 23.375 sec (0 m 23 s)

bloomfield ~ # equery belongs /usr/bin/xzdec

 * Searching for /usr/bin/xzdec ... 

app-arch/xz-utils-5.2.3 (/usr/bin/xzdec)

bloomfield ~ # equery l -op xz-utils

 * Searching for xz-utils ...

[IP-] [  ] app-arch/xz-utils-5.2.3:0

[-P-] [ ~] app-arch/xz-utils-5.2.4-r2:0

[-P-] [ -] app-arch/xz-utils-9999:0

```

https://ask.fedoraproject.org/en/question/123957/clamtk-scan-anomaly/

https://lists.debian.org/debian-user/2018/07/msg00579.html

----------

## Fitzcarraldo

I checked the same Gentoo Stage 3 download using the version of ClamAV on a Lubuntu installation (0.99.4, the same as the latest Gentoo Stable version), and it also flagged the same file:

```
Sat Jul 14 14:46:13 2018 -> ClamAV update process started at Sat Jul 14 14:46:13 2018

Sat Jul 14 14:46:13 2018 -> WARNING: Your ClamAV installation is OUTDATED!

Sat Jul 14 14:46:13 2018 -> WARNING: Local version: 0.99.4 Recommended version: 0.100.1

Sat Jul 14 14:46:13 2018 -> DON'T PANIC! Read http://www.clamav.net/documents/upgrading-clamav

Sat Jul 14 14:46:13 2018 -> main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)

Sat Jul 14 14:46:15 2018 -> Downloading daily-24752.cdiff [100%]

Sat Jul 14 14:46:18 2018 -> daily.cld updated (version: 24752, sigs: 2013390, f-level: 63, builder: neo)

Can't query daily.24752.85.1.0.6810BA8A.ping.clamav.net

Sat Jul 14 14:46:18 2018 -> bytecode.cld is up to date (version: 324, sigs: 89, f-level: 63, builder: neo)

Sat Jul 14 14:46:21 2018 -> Database updated (6579728 signatures) from db.local.clamav.net (IP: 104.16.186.138)
```

```
ClamTk, v5.25

Sat Jul 14 15:02:10 2018

ClamAV Signatures: 6579639

Directories Scanned:

/home/fitzcarraldo/downloaded-gentoo-files/usr/bin

Found 1 possible threat (51374 files scanned).

/home/fitzcarraldo/downloaded-gentoo-files/usr/bin/xzdec      Unix.Trojan.Vali-6606621-0

----------------------------------------------------------------------
```

Whereas bunder's results are for ClamAV 0.100.1 (the latest Testing version in Gentoo), which gives the file the all-clear. So it looks like it could be the version of the ClamAV application, not the signatures, that is at fault.

----------

## jagdpanther

Although it appears that the clamav 'hit' on /usr/bin/xzdec is a false positive, I noticed that on my old Gentoo system that is up to date (software wise, not hardware) does not trip clamav. So before I ran the chroot command on the new system, during the install, I just replaced the stage3 provided xzdec with the one from my old system.  (Both are x86_64).  They are a few bytes different in size and I suspect that my CFLAGS (and perhaps some useflag) settings account for the difference in size.

----------

## krinn

You might also look at the trojan effect, it generally define its nature. While this one is name "Unix" it still seems that it's one for Windows and not nix.

And finding its partern inside an elf format file is then a false positive.

----------

