samba - Jul 2018 - ClamAV reporting virus found in 4.8.3 from source

Hello,

     I'm sure it's a false positive but figured I post any way. My 
weekly full scan of my servers reported the following results.

/root/samba-4.8.3/bin/default/source3/lib/netapi/examples/group/group_deluser.inst:
Unix.Trojan.Vali-6606621-0 FOUND
/root/samba-4.8.3/bin/default/source3/lib/netapi/examples/group/group_adduser.inst:
Unix.Trojan.Vali-6606621-0 FOUND
/root/samba-4.8.3/bin/default/source3/lib/netapi/examples/group/group_deluser: 
Unix.Trojan.Vali-6606621-0 FOUND
/root/samba-4.8.3/bin/default/source3/lib/netapi/examples/group/group_adduser: 
Unix.Trojan.Vali-6606621-0 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6574044
Engine version: 0.99.4
Scanned directories: 10863
Scanned files: 73216
Infected files: 4
Data scanned: 3995.07 MB
Data read: 16074.27 MB (ratio 0.25:1)
Time: 3595.060 sec (59 m 55 s)

Anyone else using ClamAV and found the same thing? Thanks.

-James

Hai, 

I tested with a clean installed debian server, no internet, except through my
proxy server.

clamscan -i /usr/* 
/usr/bin/systemd-mount: Unix.Trojan.Vali-6606621-0 FOUND

Imo, false positive, i've check it. 

cat /var/lib/dpkg/info/systemd.md5sums | grep systemd-mount
e25777acee542359f7f40afaeb930195  usr/bin/systemd-mount
74f79531541390d12bba49581c71ef8e  usr/share/man/man1/systemd-mount.1.gz


md5sum /usr/bin/systemd-mount
e25777acee542359f7f40afaeb930195  /usr/bin/systemd-mount
Matches the above nicely. 

Since i'm just back from vacation. 
I have some work todo first ..  but this catched my eye. 
And i'll go through the 2 weeks of mailings this week. 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> lingpanda101 via samba
> Verzonden: maandag 16 juli 2018 14:02
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] ClamAV reporting virus found in 4.8.3 from source
> 
> Hello,
> 
>      I'm sure it's a false positive but figured I post any way. My 
> weekly full scan of my servers reported the following results.
> 
> /root/samba-4.8.3/bin/default/source3/lib/netapi/examples/grou
> p/group_deluser.inst: 
> Unix.Trojan.Vali-6606621-0 FOUND
> /root/samba-4.8.3/bin/default/source3/lib/netapi/examples/grou
> p/group_adduser.inst: 
> Unix.Trojan.Vali-6606621-0 FOUND
> /root/samba-4.8.3/bin/default/source3/lib/netapi/examples/grou
> p/group_deluser: 
> Unix.Trojan.Vali-6606621-0 FOUND
> /root/samba-4.8.3/bin/default/source3/lib/netapi/examples/grou
> p/group_adduser: 
> Unix.Trojan.Vali-6606621-0 FOUND
> 
> ----------- SCAN SUMMARY -----------
> Known viruses: 6574044
> Engine version: 0.99.4
> Scanned directories: 10863
> Scanned files: 73216
> Infected files: 4
> Data scanned: 3995.07 MB
> Data read: 16074.27 MB (ratio 0.25:1)
> Time: 3595.060 sec (59 m 55 s)
> 
> Anyone else using ClamAV and found the same thing? Thanks.
> 
> -James
> 
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
>

On Mon, 2018-07-16 at 08:02 -0400, lingpanda101 via samba
wrote:
> Hello,
> 
>      I'm sure it's a false positive but figured I post any way. My 
> weekly full scan of my servers reported the following results.
ClamAV signatures are notoriously broad, we had samba sources being
banned due to some windows shell commands we included.  

https://www.linuxquestions.org/questions/slackware-14/clamav-detection-
on-cups-4175633866/

https://ubuntuforums.org/showthread.php?t=2396418

https://lists.debian.org/debian-user/2018/07/msg00580.html

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba