Nagios Support Forum

Posted: **Tue Apr 04, 2017 7:29 pm**

hello,

We have a running NagiosLogServers and CLAMAV after being updated with Virus Definitios tagged some files as malwares. Kindly see details below:
should we remove these files and or what should we do?

/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/ruby-maven-libs-3.3.3/maven-home/lib/plexus-interpolation-1.21.jar: Java.Malware.Agent-6205983-0 FOUND
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/ruby-maven-libs-3.3.3/maven-home/lib/aether-spi-1.0.2.v20150114.jar: Java.Malware.Agent-6203297-0 FOUND
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/ruby-maven-libs-3.3.3/maven-home/lib/aether-impl-1.0.2.v20150114.jar: Java.Malware.Agent-6206104-0 FOUND
/usr/local/nagioslogserver/logstash/vendor/jruby/lib/ruby/gems/shared/gems/ruby-maven-libs-3.1.1/lib/aether-impl-0.9.0.M2.jar: Java.Malware.Agent-6206104-0 FOUND
/usr/local/nagioslogserver/logstash/vendor/jruby/lib/ruby/gems/shared/gems/ruby-maven-libs-3.1.1/lib/plexus-interpolation-1.19.jar: Java.Malware.Agent-6205983-0 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6182007
Engine version: 0.99.2
Scanned directories: 27878
Scanned files: 108158
Infected files: 5
Total errors: 2090
Data scanned: 5801.48 MB
Data read: 6392.01 MB (ratio 0.91:1)
Time: 598.697 sec (9 m 58 s)

Posted: **Wed Apr 05, 2017 11:15 am**

I was able to reproduce this:

Code: Select all

[root@nls1 ~]# clamscan -r -o /usr/local/nagioslogserver/logstash/
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/i18n-0.6.9/test/test_data/locales/invalid/empty.yml: Empty file
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/jruby-win32ole-0.8.5/README: Empty file
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/jruby-win32ole-0.8.5/nbproject/private/config.properties: Empty file
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-lumberjack-0.1.9/CHANGELOG.md: Empty file
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-s3-0.1.11/CHANGELOG.md: Empty file
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/nokogiri-1.6.6.2-java/suppressions/nokogiri_ruby-1.8.7.370.supp: Empty file
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/nokogiri-1.6.6.2-java/test/files/bogus.xml: Empty file
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/ruby-maven-libs-3.3.3/maven-home/lib/aether-impl-1.0.2.v20150114.jar: Java.Malware.Agent-6206104-0 FOUND
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/ruby-maven-libs-3.3.3/maven-home/lib/aether-spi-1.0.2.v20150114.jar: Java.Malware.Agent-6204790-0 FOUND
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/ruby-maven-libs-3.3.3/maven-home/lib/plexus-interpolation-1.21.jar: Java.Malware.Agent-6205983-0 FOUND
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/rubyzip-1.1.7/test/data/globTest/foo/bar/baz/foo.txt: Empty file
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/rubyzip-1.1.7/test/data/globTest/foo.txt: Empty file
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/rubyzip-1.1.7/test/data/globTest/food.txt: Empty file
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/stud-0.0.19/CHANGELIST: Empty file
/usr/local/nagioslogserver/logstash/vendor/bundle/jruby/1.9/gems/treetop-1.4.15/examples/lambda_calculus/lambda_calculus: Empty file
/usr/local/nagioslogserver/logstash/vendor/jruby/lib/ruby/gems/shared/gems/descendants_tracker-0.0.4/TODO: Empty file
/usr/local/nagioslogserver/logstash/vendor/jruby/lib/ruby/gems/shared/gems/ruby-maven-libs-3.1.1/lib/aether-impl-0.9.0.M2.jar: Java.Malware.Agent-6206104-0 FOUND
/usr/local/nagioslogserver/logstash/vendor/jruby/lib/ruby/gems/shared/gems/ruby-maven-libs-3.1.1/lib/plexus-interpolation-1.19.jar: Java.Malware.Agent-6205983-0 FOUND
/usr/local/nagioslogserver/logstash/vendor/jruby/lib/ruby/shared/rake/ext/module.rb: Empty file

----------- SCAN SUMMARY -----------
Known viruses: 6192436
Engine version: 0.99.2
Scanned directories: 2064
Scanned files: 8414
Infected files: 5
Data scanned: 237.96 MB
Data read: 119.92 MB (ratio 1.98:1)
Time: 57.007 sec (0 m 57 s)

JRuby depends on Maven, which is what's using those Jar files. I'm not entirely sure why ClamAV is picking them up as malware. My best guess is that ClamAV doesn't recognize this as Maven, and all it sees is Java libs typically used for agents/downloaders. I definitely wouldn't remove them since that would break Logstash.

It seems like they were slated to be removed in a later version of Logstash. GitHub posts:
https://github.com/elastic/logstash/issues/3847
https://github.com/elastic/logstash/pull/3855

Posted: **Thu Apr 06, 2017 1:50 am**

Thank you very much for the info.

Posted: **Thu Apr 06, 2017 11:05 am**

Did you want to have the thread locked at this point or were there any more related questions?

Posted: **Tue Apr 18, 2017 8:50 pm**

we can now close this issue. thanks.

Nagios Support Forum

ClamAV tagged logstash files as malware

ClamAV tagged logstash files as malware

Re: ClamAV tagged logstash files as malware

Re: ClamAV tagged logstash files as malware

Re: ClamAV tagged logstash files as malware

Re: ClamAV tagged logstash files as malware