hello,
We have a running NagiosLogServers and CLAMAV after being updated with Virus Definitios tagged some files as malwares. Kindly see details below:
should we remove these files and or what should we do?
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/ruby-maven-libs-3.3.3/maven-home/lib/plexus-interpolation-1.21.jar: Java.Malware.Agent-6205983-0 FOUND
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/ruby-maven-libs-3.3.3/maven-home/lib/aether-spi-1.0.2.v20150114.jar: Java.Malware.Agent-6203297-0 FOUND
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/ruby-maven-libs-3.3.3/maven-home/lib/aether-impl-1.0.2.v20150114.jar: Java.Malware.Agent-6206104-0 FOUND
/usr/local/nagioslogserver/logstash/vendor/jruby/lib/ruby/gems/shared/gems/ruby-maven-libs-3.1.1/lib/aether-impl-0.9.0.M2.jar: Java.Malware.Agent-6206104-0 FOUND
/usr/local/nagioslogserver/logstash/vendor/jruby/lib/ruby/gems/shared/gems/ruby-maven-libs-3.1.1/lib/plexus-interpolation-1.19.jar: Java.Malware.Agent-6205983-0 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 6182007
Engine version: 0.99.2
Scanned directories: 27878
Scanned files: 108158
Infected files: 5
Total errors: 2090
Data scanned: 5801.48 MB
Data read: 6392.01 MB (ratio 0.91:1)
Time: 598.697 sec (9 m 58 s)
ClamAV tagged logstash files as malware
Re: ClamAV tagged logstash files as malware
I was able to reproduce this:
JRuby depends on Maven, which is what's using those Jar files. I'm not entirely sure why ClamAV is picking them up as malware. My best guess is that ClamAV doesn't recognize this as Maven, and all it sees is Java libs typically used for agents/downloaders. I definitely wouldn't remove them since that would break Logstash.
It seems like they were slated to be removed in a later version of Logstash. GitHub posts:
https://github.com/elastic/logstash/issues/3847
https://github.com/elastic/logstash/pull/3855
Code: Select all
[root@nls1 ~]# clamscan -r -o /usr/local/nagioslogserver/logstash/
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/i18n-0.6.9/test/test_data/locales/invalid/empty.yml: Empty file
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/jruby-win32ole-0.8.5/README: Empty file
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/jruby-win32ole-0.8.5/nbproject/private/config.properties: Empty file
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-lumberjack-0.1.9/CHANGELOG.md: Empty file
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-s3-0.1.11/CHANGELOG.md: Empty file
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/nokogiri-1.6.6.2-java/suppressions/nokogiri_ruby-1.8.7.370.supp: Empty file
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/nokogiri-1.6.6.2-java/test/files/bogus.xml: Empty file
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/ruby-maven-libs-3.3.3/maven-home/lib/aether-impl-1.0.2.v20150114.jar: Java.Malware.Agent-6206104-0 FOUND
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/ruby-maven-libs-3.3.3/maven-home/lib/aether-spi-1.0.2.v20150114.jar: Java.Malware.Agent-6204790-0 FOUND
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/ruby-maven-libs-3.3.3/maven-home/lib/plexus-interpolation-1.21.jar: Java.Malware.Agent-6205983-0 FOUND
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/rubyzip-1.1.7/test/data/globTest/foo/bar/baz/foo.txt: Empty file
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/rubyzip-1.1.7/test/data/globTest/foo.txt: Empty file
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/rubyzip-1.1.7/test/data/globTest/food.txt: Empty file
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/stud-0.0.19/CHANGELIST: Empty file
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/treetop-1.4.15/examples/lambda_calculus/lambda_calculus: Empty file
/usr/local/nagioslogserver/logstash/vendor/jruby/lib/ruby/gems/shared/gems/descendants_tracker-0.0.4/TODO: Empty file
/usr/local/nagioslogserver/logstash/vendor/jruby/lib/ruby/gems/shared/gems/ruby-maven-libs-3.1.1/lib/aether-impl-0.9.0.M2.jar: Java.Malware.Agent-6206104-0 FOUND
/usr/local/nagioslogserver/logstash/vendor/jruby/lib/ruby/gems/shared/gems/ruby-maven-libs-3.1.1/lib/plexus-interpolation-1.19.jar: Java.Malware.Agent-6205983-0 FOUND
/usr/local/nagioslogserver/logstash/vendor/jruby/lib/ruby/shared/rake/ext/module.rb: Empty file
----------- SCAN SUMMARY -----------
Known viruses: 6192436
Engine version: 0.99.2
Scanned directories: 2064
Scanned files: 8414
Infected files: 5
Data scanned: 237.96 MB
Data read: 119.92 MB (ratio 1.98:1)
Time: 57.007 sec (0 m 57 s)
It seems like they were slated to be removed in a later version of Logstash. GitHub posts:
https://github.com/elastic/logstash/issues/3847
https://github.com/elastic/logstash/pull/3855
Former Nagios employee
https://www.mcapra.com/
https://www.mcapra.com/
Re: ClamAV tagged logstash files as malware
Thank you very much for the info.
Re: ClamAV tagged logstash files as malware
Did you want to have the thread locked at this point or were there any more related questions?
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Re: ClamAV tagged logstash files as malware
we can now close this issue. thanks.