Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 8 subscribers
  • Views 6810 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Why is Sophos for linux creating suspicious files that Root Kit hunter picks up on?

Edward Phillips

Hi there

I've been using Sophos for linux since installing ubuntu 16.04 earlier this year, but have recently come across some issues where Root Kit Hunter picks up some suspicious files in the dev/shm/ folder.

This is what I get after running Root Kit Hunter:

Warning: Suspicious file types found in /dev:
         /dev/shm/com.sophos.av.process.exclusion: data
         /dev/shm/sem.com.sophos.av.process.exclusion: data

This has only started happening since today. Would anybody experienced with linux systems be able to help me understand what these files are and whether they are actually False Positives flagged by Root Kit Hunter or not?

Thanks in advance!



This thread was automatically locked due to age.
Parents
  • 0

    They are shared memory used for managing process exclusions when using fanotify for on-access scanning. 

    It it possible you have upgraded your kernel, which has forced SAV to switch to fanotify from Talpa?

    If you run /opt/sophos-av/bin/savlog -50 you should see the on-access enabled line.

    I have no idea why root kit hunter finds the files objectionable? The directory is where shared memory is supposed to go.

    SAV doesn't even control the directory - we just call shm_open("/com.sophos.av.process.exclusion",...) and it's up to the operating system where the shared memory is placed.

Reply
  • 0

    They are shared memory used for managing process exclusions when using fanotify for on-access scanning. 

    It it possible you have upgraded your kernel, which has forced SAV to switch to fanotify from Talpa?

    If you run /opt/sophos-av/bin/savlog -50 you should see the on-access enabled line.

    I have no idea why root kit hunter finds the files objectionable? The directory is where shared memory is supposed to go.

    SAV doesn't even control the directory - we just call shm_open("/com.sophos.av.process.exclusion",...) and it's up to the operating system where the shared memory is placed.

Children
  • 0 in reply to DouglasLeeder

    Hi Douglas

    Thank you for the response to my post.

    I assumed they were not anything malicious and related to the running of Sophos' on-access scanning.

    It may be that it was the operating system putting them where it liked, as, after a week of them appearing in my root kit hunter reports, the scans stopped picking them up yesterday. I checked the dev/shm file and they were no longer there. Weird.

    I have also since looked into other Q&A threads concerning /dev/shm and it appears that Root Kit Hunter pulls a lot of false positives from here.

    Once again, thanks for all your help. I'm happy to have members of the community there to help out, as I'm quite a noob with Ubuntu.

Unfiltered HTML