ClamTk

File 32b76db9f3df9ffb126a55624df56417c367c47d95e3f619585af51e448144.file identified, question if accurate

Asked by Max

The above file was identified by ClamTK, I checked an md5sum and it is bafbd01ae8e41a090a64e69a71321475. The file is in a timeshift snapshop. I don't find any information on this file, should I go ahead and quarantine it?

In case it's an error then I don't want to quarantine it and not sure it would affect the snapshot, maybe not since it is a single file. It was found in 3 snapshots.

The status given is BC.Gif.Exploit.Agent-1425366.Agent.

Also what would this virus have done?

Question information

Language:
English Edit question
Status:
Answered
For:
ClamTk Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Max (oobvi) said : 		#1

It looks like the same file was identified here:
https://gitlab.com/dave_m/clamtk/-/issues/78

The last post suggests that the file might be okay? It does appear to be in a flatpak based on the directory.

Revision history for this message
Dave M (dave-nerd) said : 		#2

Max,

I think this one is probably a false positive based on our earlier research.

I would also be careful using the scan option "scan for PUAs". It seems to show many false positives.

respectfully,
Dave M

Revision history for this message
Max (oobvi) said : 		#3

I did have "scan for PUAs" turned off.

Revision history for this message
Dave M (dave-nerd) said : 		#4

Max,

Thank you for confirming that. However, it still seems to be a false positive.

I'll see if I can notify the ClamAV team; maybe they can reexamine this file. I only do a GUI for it; I can't really mess with the output (and probably wouldn't want to, either).

respectfully,
Dave M

Revision history for this message
Max (oobvi) said : 		#5

I see.

If I quarantine it (in all 3 snapshots), is there a way to un-quarantine it if it seems to be a problem? I don't find un-quarantining mentioned here or in the Wiki.

Revision history for this message
Dave M (dave-nerd) said : 		#6

Hi Max,

In most cases, yes, you can restore quarantined files since clamtk keeps track of that. However, I'm trying to see how timeshift stores files and information. I don't know the answer to your question yet. Do you know how it's stored?

respectfully,
Dave M

Revision history for this message
Dave M (dave-nerd) said : 		#7

Hi Max,

What version of clamtk are you using? I just realized I put "timeshift" as a directory to be skipped; clamtk shouldn't be going in there anyway.

respectfully,
Dave M

Revision history for this message
Max (oobvi) said : 		#8

version 6.02-1

I'm thinking now it probably isn't the latest version but I got fooled before because in the "Update" in the GUI, it says "You are configured to automatically receive updates."

It's the latest version listed in the linux mint package manager.

The file in question is stored in /media/me/data/timeshift/snapshots/date/localhost/var/lib/flatpak/repo/objects/34/ if that helps.

Can you help with this problem?

Provide an answer of your own, or ask Max for more information if necessary.

To post a message you must log in.