Anyone wanna explain why ClamAV thinks Wine has a rootkit in it? It finds "mountmgr.sys" and "usbd.sys" as "BC.Heuristics.Rootkit.B" This is not altered Wine.. or even used... but it happens just pure straight up compile from source Wine even if its never been ran.... its finding them in the fakedlls folder. I have not tried on Linux, only on Mac OS X, using the ClamAV 0.96.2 base
> Anyone wanna explain why ClamAV thinks Wine has a rootkit in it? > > It finds "mountmgr.sys" and "usbd.sys" as "BC.Heuristics.Rootkit.B" > > This is not altered Wine.. or even used... but it happens just pure straight up compile from source Wine even if its never been ran.... its finding them in the fakedlls folder. > > I have not tried on Linux, only on Mac OS X, using the ClamAV 0.96.2 base >I think this was discussed a week or so ago and concluded that this was a detection false positive. John
doh123 wrote:> Anyone wanna explain why ClamAV thinks Wine has a rootkit in it? > > It finds "mountmgr.sys" and "usbd.sys" as "BC.Heuristics.Rootkit.B" > > This is not altered Wine.. or even used... but it happens just pure straight up compile from source Wine even if its never been ran.... its finding them in the fakedlls folder. > > I have not tried on Linux, only on Mac OS X, using the ClamAV 0.96.2 baseYou're the second person to ask. http://forum.winehq.org/viewtopic.php?t=9725 Someone should report this to ClamAV.
doh123 <wineforum-user at winehq.org> wrote:>Sent: Sep 29, 2010 10:37 PM >To: wine-users at winehq.org >Subject: [Wine] ClamAV thinks Wine contains a rootkit? > >Anyone wanna explain why ClamAV thinks Wine has a rootkit in it? > >It finds "mountmgr.sys" and "usbd.sys" as "BC.Heuristics.Rootkit.B" > >This is not altered Wine.. or even used... but it happens just pure straight up compile from source Wine even if its never >been ran.... its finding them in the fakedlls folder. >This was discussed last week and the determination is that it is a false positive from ClamAV. At least we can confirm that as that rootkit does not run on the Mac, as far as I can determine.>I have not tried on Linux, only on Mac OS X, using the ClamAV 0.96.2 baseCan you report this to ClamAV? James McKenzie
thanks.... the search here is pretty bad... i searched for all kindsa stuff about this for the wiki and the forum and it never turned up that post.
On Thu, Sep 30, 2010 at 11:19 AM, doh123 <wineforum-user at winehq.org> wrote:> thanks.... the search here is pretty bad... i searched for all kindsa stuff about this for the wiki and the forum and it never turned up that post. >That is one reason why I use the mailing list and all messages go to my 7.5GB google mail account. I have every non spam wine message for years and searching is easy. However I guess the correct terms (site:http://forum.winehq.org/) to a google search can achieve the same result without needing my own copy.. John
On Thu, Sep 30, 2010 at 07:37, doh123 <wineforum-user at winehq.org> wrote:> Anyone wanna explain why ClamAV thinks Wine has a rootkit in it? > > It finds "mountmgr.sys" and "usbd.sys" as "BC.Heuristics.Rootkit.B" >They are replacemnets for standard Windows drivers that act different than the normal versions (and miss the signatures of a authorized Microsoft version)? Which seem to match the definition of a rootkit.... (For Windows an unsigned core driver is quite likely to be dangerous) The wikipedia definition is: A rootkit is software that enables continued privileged access to a computer, while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. Wine intentionally does modifies the behaviour of the underlying system to make Windows program run, so detecting it as a generic rootkit is probably accurate... (And it hides its presence from the applications that runs under it) ClamAV probably assume that a modified version of any Windows driver that can be used to hide disks / partitions / files are likely to be a rootkit (which it is, on Windows) and detects it as such? (Rootkits can hide themselves by using virtualization and emulation techniques, which makes any emulation / vitalization software potential suspects to an antivirus) (And since you can call hidden funtionality in Wine (Unix syscalls, etc) it might even meet the definition of a rootkit from a Windows application's point of view...) Gert