Running SAV on Ubuntu, I was scanning drives of a Windows-virtual machine (mounted the VMDK-files) and the memory-snapshot of that VM (i.e. the SnapshotXX.vmem), using the following command:
- savscan -dn -f --no-stop-scan -rec -archive /mnt/windows_mount
I added -dn to see it making progress, -f for full scan, --no-stop-scan to force scanning large files as the pagefile.sys, -rec for recursive scanning (obviously), and all -archive
SAV reports two hits
- fragments of a malware in pagefile.sys (the mounted VMDK-files)
- fragments of another malware i the VMEM-file
To rule out false positive, how do I go about finding more useful information than of the above?
This thread was automatically locked due to age.