|
|
How best to set-up and use ClamXav?
|
|
|
|
Moderator
Join Date: Aug 2001
Location: Nobletucky
Status:
Offline
|
|
So, I got this email from Comcast and their Constant Guard security thing, saying that "one or more of your computers may be infected with a Bot." They provide no details, of course, but they DO provide a link to download Norton. Even though I don't really believe there's a bot running on my iMac (or either of the MacBooks that occasionally share the connection) I decided to dl ClamXav and give it a run.
I've run scans of folders and files I think would be pertinent to searching out a bot (Desktop, Mail Downloads, Preferences, etc.) on all the user accounts and have come-up empty. Being new to ClamXav, though, I'm probably missing something. I started a scan of the entire iMac hd, but it was obviously going to take a couple of hours, so I bailed on that for now.
How do you use ClamXav? What areas would you suggest scanning when trying to weed-out anything suspicious? And do you use ClamXav Sentry? If so, what items do you have it monitor?
FWIW, I did find a couple of suspicious invisible files on my Desktop a couple of weeks ago. I have no clue how they got there, but they were obviously not system files, judging by their fairly "adult" filenames. I suspect, if something actually was wrong, those were the files that did it. Am I safe in assuming that ClamXav scans for invisible files, too?
|
|
|
|
|
|
|
|
|
Posting Junkie
Join Date: Oct 2005
Location: Houston, TX
Status:
Offline
|
|
Do you have open wifi? Could have been a "guest", welcome or otherwise.
Files on the desktop are usually just a browser glitch where it saves the destination of a link instead of displaying it.
|
|
|
|
|
|
|
|
|
Administrator
Join Date: Jun 2000
Location: California
Status:
Offline
|
|
The most common invisible files on my Desktop come from dragging images out of my browser. If the images were the product of a server script, the browser may not have a name for them. So drag-n-drop produces files called ".gif" or ".jpeg". I solve it by using the contextual save-image command, so as to give them a name. Then I have to root out the invisible results of the image drags.
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Aug 2001
Location: Nobletucky
Status:
Offline
|
|
No open wifi.
I've never found any other sorts of invisible files on my desktop other than the normal .DS_strore and .localized files, and I do a bit of dragging images from browsers, too. I did find about a dozen invisible music files on my daughter's desktop, though. They were all zero-k, though.
I'm of two minds about the Comcast email. one one hand, people on the Comcast forums say the emails are legit warnings. On the other hand, when you follow the link they provide, all it does is take you to the Norton download, which makes me feel like it's just a scare tactic to get you to install that junk. The fact that Comcast doesn't provide any details makes it smell even fishier.
Anyway, back to the main question...How do people set-up ClamXav for the best protection?
|
|
|
|
|
|
|
|
|
Professional Poster
Join Date: Jan 2002
Location: London, UK
Status:
Offline
|
|
I set it up to launch the ClamXav Sentry at login, and have it monitor my Mail for malware and phishing attempts and for it to actively monitor my Downloads folder, my Mail Downloads folder, my iChat attachments folder and any other folder where content might get downloaded to. As well as that, I have it set to update malware definitions each night (at a time when I am likely to be using my Mac), and to check for and update the app and virus defs whenever I launch the app.
I don't bother to run any whole system scans as there isn't any way content is getting onto my Mac other than through those few download routes from the net.
I set it to only warn me about malware, and not to quarantine or do anything else with it.
And then I forget about it - the impact on performance is minimal, apart from on my 7 year old PowerBook which does suffer a bit if anything is being downloaded as it doesn't have dual cores or processors to separate the ClamXav process out from the other apps running.
Very occasionally, I am warned about a phishing attempt in an e-mail (so far, 100% of the time it has been a SPAM message in my Junk folder which I would never have looked at anyway, but there we go).
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Aug 2001
Location: Nobletucky
Status:
Offline
|
|
Thanks, JKT! That's very helpful!
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
Check all of your processes that are running for anything that looks suspicious (e.g. is being invoked from a strange path). Scans like this know nothing about what is lying dormant on your hard drive, but only what is actually running.
Comcast may be sending the message intended for the last user of your dynamic IP, if there was one. I would imagine that their scanner can't keep up with IP changes.
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Aug 2001
Location: Nobletucky
Status:
Offline
|
|
I've always been a bit confused when looking at the list of running processes in Activity Monitor. Most of it looks "suspicious" to me, because I have no idea what they are or do. Looking right now, I see processes like:
mds
mDNSResponder
ntpd
natd
fontd
quicklookd32
hidd
imagent
gfslogger
apsd-ft
blued
distnoted
Beats me what most of these are. Most have Root as user. Some have me as user. One, distnoted, has daemon as user. I have no idea what would look suspicious in all this.
As for the Comcast email...I've been having a fairly vocal back-and-forth about it in the Comcast user forums. My point to them is that, until they provide the details to me of what they've logged as "suspicious activity", their email is little more than spam, since all it does is link to either a download of Norton, or a $130 upsell for Comcast's own security service. The general response I've gotten is that I should just trust Comcast and do what they suggest. As if...
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Mar 2001
Location: yes
Status:
Offline
|
|
It's not the process name I'm concerned with, it's the process path, so try a:
ps -aux
some processes are still not going to include path names, but many will. Note the owner user names of processes without a path. If it is root, do a:
sudo echo $PATH
to make sure that there are no funny paths included in your shell's environment which would enable these particular processes from running without specifying a path.
I don't blame you for not trusting Comcast
Have you thought about running the Nessus scanner on your own machine? Last I checked there was a free OS X version available. This will conduct the same sorts of tests that Comcast would. Telling them that Nessus is turning up nothing may put the onus on them to provide specificity.
|
|
|
|
|
|
|
|
|
Administrator
Join Date: Jun 2000
Location: California
Status:
Offline
|
|
Originally Posted by Thorzdad
mds - search indexer, backend for Spotlight
mDNSResponder
ntpd - time sync daemon that syncs your system time vs a time server on the web
natd
fontd
quicklookd32 - Finder support daemon (32-bit) which generates file thumbnails & quicklooks
hidd
imagent
gfslogger
apsd-ft
blued
distnoted
Here are definitions for a few. Most of the others are easy to look up on wikipedia.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|