PDA

View Full Version : F-prot anti-virus - do I delete the files?

carlos
14th December 2004, 02:50 AM
I ran an f-prot anti0virus scan
f-prot -auto -disinf -report=blah /
and got the following message as part of it.
I update the viruses every few hours so i don't see how I could have unknown viruses - should I delete these files or are they benign? Thanks for any pointers.

/usr/lib/mailman/tests/msgs/nimda.txt->readme.exe could be infected with an unknown virus
Virus-infected files in archives cannot be disinfected.
/usr/lib/debug/sbin/ip.debug could be infected with an unknown virus
Viruses cannot be disinfected unless they are identified.
/usr/lib/debug/sbin/rtmon.debug could be infected with an unknown virus
Viruses cannot be disinfected unless they are identified.
/usr/lib/debug/sbin/tc.debug could be infected with an unknown virus
Viruses cannot be disinfected unless they are identified.
/usr/lib/debug/usr/sbin/rtacct.debug could be infected with an unknown virus
Viruses cannot be disinfected unless they are identified.
/usr/lib/debug/usr/sbin/rtstat.debug could be infected with an unknown virus
Viruses cannot be disinfected unless they are identified.
/usr/lib/debug/usr/sbin/nstat.debug could be infected with an unknown virus
Viruses cannot be disinfected unless they are identified.
/usr/lib/debug/usr/sbin/ss.debug could be infected with an unknown virus
Viruses cannot be disinfected unless they are identified.
crackers
14th December 2004, 04:36 AM
You can find out if the file is part of an installed package:

$ rpm -qif /usr/lib/debug/sbin/ip.debug
Name : iproute Relocations: (not relocatable)
Version : 2.6.9 Vendor: Red Hat, Inc.
Release : 3 Build Date: Mon 20 Sep 2004 04:21:34 AM CDT
...

As far as I can tell, these are special files used to debug the specific processes they're named after. I do not know what just deleting them would do - you could always move (mv) them elsewhere (make sure to keep track of them and keep the owner/permissions correct) and see what happens.

I actually kind of doubt they're infected - F-Prot is apparently seeing something ambiguous in them and flagging them as possibly being infected. I'd almost bet they're not...
carlos
14th December 2004, 05:36 AM

Thanks. I checked them all out as you said and they all seem kosher.