Running SAV on Ubuntu, I was scanning drives of a Windows-virtual machine (mounted the VMDK-files) and the memory-snapshot of that VM (i.e. the SnapshotXX.vmem), using the following command:
I added -dn to see it making progress, -f for full scan, --no-stop-scan to force scanning large files as the pagefile.sys, -rec for recursive scanning (obviously), and all -archive
SAV reports two hits
To rule out false positive, how do I go about finding more useful information than of the above?
Did you pull the 2 hits from the logs and was that all the available detail in there-
Sophos Anti-Virus logs details of scanning activity in the Sophos Anti-Virus log and syslog. In addition, virus and error events are logged in the Sophos Anti-Virus log. ■ To view the Sophos Anti-Virus log, use the command savlog. This can be used with various options to restrict the output to certain messages and to control the display. For example, to display all messages logged to the Sophos Anti-Virus log in the last 24 hours, and to display the date and time in UTC/ISO 8601 format, type: /opt/sophos-av/bin/savlog --today --utc ■ To see a complete list of the options that can be used with savlog, type: man savlog
Another thought would be posting this in the malware forum.
Hello Knut Erik Hauslo,
fragments of a malwarefragments of another malwarethis is not the exact wording of the detections, is it? Both the memory and the pagefile (which is basically also memory) might contain, let's put it this way, sequences of bytes that trigger false positive detections.
The exact wording is this:
The idea, that sequences of bytes might trigger a false positiv was my idea as well, hence the effort into finding the location within the file. I've also split the pagefile into smaller files, and as expected, it found a lot more. Which supports the idea of a false positive.
Any other scans with competing scanners did not result in anything.
The logs were not helpful at all, example:
[…] log.threat Threat detected in /mnt/windows_mount2/pagefile.sys: Nutcracker Boot during on-demand scan. (The file is still infected.)
logs were not helpfulnot really a surprise, it's unfeasible to provide an execution trace.Another indication that these are FPs is that both Nutcracker Boot and Troj/VGA are from the distant past.