-1

Today clamAV scanned my AWS instances and detect infected files on each. It looks like false positive due to several reasons:

  1. All these files are created in 2021 (why were they detected only now?)

  2. SSH port for each instance is protected by MFA + password + VPN.

All these files are in Conda environment and only exe files are infected (my AWS instances are Ubuntu OS).

Could it be the same issue like here?

/home/kidas/anaconda3/pkgs/conda-build-3.24.0-py310h06a4308_0/lib/python3.10/site-packages/conda_build/cli-64.exe: Win.Virus.Expiro-10004389-0 FOUND
/home/kidas/anaconda3/pkgs/conda-build-3.24.0-py310h06a4308_0/lib/python3.10/site-packages/conda_build/cli-32.exe: Win.Virus.Expiro-10004389-0 FOUND
/home/kidas/anaconda3/pkgs/conda-23.3.1-py310h06a4308_0/lib/python3.10/site-packages/conda/shell/cli-64.exe: Win.Virus.Expiro-10004389-0 FOUND
/home/kidas/anaconda3/pkgs/conda-23.3.1-py310h06a4308_0/lib/python3.10/site-packages/conda/shell/cli-32.exe: Win.Virus.Expiro-10004389-0 FOUND
/home/kidas/anaconda3/lib/python3.10/site-packages/conda/shell/cli-64.exe: Win.Virus.Expiro-10004389-0 FOUND
/home/kidas/anaconda3/lib/python3.10/site-packages/conda/shell/cli-32.exe: Win.Virus.Expiro-10004389-0 FOUND
/home/kidas/anaconda3/lib/python3.10/site-packages/conda_build/cli-64.exe: Win.Virus.Expiro-10004389-0 FOUND
/home/kidas/anaconda3/lib/python3.10/site-packages/conda_build/cli-32.exe: Win.Virus.Expiro-10004389-0 FOUND

VirusTotal results (all AV showed - undetected expect these AVs):

                "ClamAV": {
                    "category": "malicious",
                    "engine_name": "ClamAV",
                    "engine_version": "1.1.0.0",
                    "result": "Win.Virus.Expiro-10004389-0",
                    "method": "blacklist",
                    "engine_update": "20230730"
                },
                "SymantecMobileInsight": {
                    "category": "type-unsupported",
                    "engine_name": "SymantecMobileInsight",
                    "engine_version": "2.0",
                    "result": null,
                    "method": "blacklist",
                    "engine_update": "20230119"
                },
                "Trustlook": {
                    "category": "type-unsupported",
                    "engine_name": "Trustlook",
                    "engine_version": "1.0",
                    "result": null,
                    "method": "blacklist",
                    "engine_update": "20230730"
                },
                "Avast-Mobile": {
                    "category": "type-unsupported",
                    "engine_name": "Avast-Mobile",
                    "engine_version": "230730-02",
                    "result": null,
                    "method": "blacklist",
                    "engine_update": "20230730"
                },
                "Google": {
                    "category": "malicious",
                    "engine_name": "Google",
                    "engine_version": "1690700450",
                    "result": "Detected",
                    "method": "blacklist",
                    "engine_update": "20230730"
                },
                "BitDefenderFalx": {
                    "category": "type-unsupported",
                    "engine_name": "BitDefenderFalx",
                    "engine_version": "2.0.936",
                    "result": null,
                    "method": "blacklist",
                    "engine_update": "20230729"
                }
Rougher
  • 203
  • 1
  • 6

1 Answers1

2

Based on the updated question with engines from Virustotal I see some of antivirus engines detect is as malware. The best recommendation I can give is to hold all operations with these files for several days. And repeat the check after a week. Then if you see more AV engines to confirm it is infected you can act accordingly. Also you can open a case to Clamav (never did this before) and ask for deeper investigation.

If only few from non so well known names of AV rise a flag you can confirm with high probability the file is OK and resume the operations.

Romeo Ninov
  • 5,263
  • 4
  • 20
  • 26