ClamAv reports a malware in /usr/local/bin/pnscan

Message

bpuppy · #1 Post by **bpuppy** » Mon 08 Jun 2020, 14:29

As the title says, Clam Antivirus (32 bit version) reports:
/usr/local/bin/pnscan: Unix.Malware.Agent-7186126-0 FOUND.

It was reported on PuppyTahr v.6.0.5 (32-bit).
This may only be a false positive, but it would be interresting to investigate further...

Can anyone else check this on either the 32/64 bit versions?

bpuppy

fabrice_035 · #2 Post by **fabrice_035** » Mon 08 Jun 2020, 14:50

Hi,
From BionicPup64

Code: Select all

root# pnscan -V [PNScan, version 1.11 - Dec 11 2016 14:53:52]

Compil today from https://github.com/ptrrkssn/pnscan

Code: Select all

root# ./pnscan -V
[PNScan, version 1.13 - Jun  8 2020 16:41:13]

???

6502coder · #3 Post by **6502coder** » Mon 08 Jun 2020, 16:47

There's an apparently related thread on LinuxQuestions.org:
https://www.linuxquestions.org/question ... 175630929/

perdido · #4 Post by **perdido** » Mon 08 Jun 2020, 19:39

Out of curiosity I downloaded 4 versions of tahr from the ibiblio repository
http://distro.ibiblio.org/puppylinux/puppy-tahr/iso/

This is what clam says

tahr64-6.0.5.iso - /usr/local/bin/pnscan: Unix.Malware.Agent-6327832-0 FOUND
tahr-6.0.5_PAE.iso - /usr/local/bin/pnscan: Unix.Malware.Agent-7186126-0 FOUND
-------------------
Nothing found in either tahr 6.0.6 version
tahr-6.0.6-uefi.iso was clean
tahr64-6.0.6-uefi.iso was clean
###############################################
I also scanned the latest bionicpups 64-bit & 32-bit

bionicpup64-8.0-uefi.iso - /usr/local/bin/pnscan: Unix.Malware.Agent-7186126-0 FOUND
-------------------
bionicpup32-8.0-uefi.iso was clean.

This could be false positives but who knows? I sure don't.
This post is for informational purposes only. You make your own determinations.

Have fun!

rcrsn51 · #5 Post by **rcrsn51** » Mon 08 Jun 2020, 19:47

The latest versions of PeasyPort have eliminated pnscan in favour of a different scanning tool.

Smithy · #6 Post by **Smithy** » Wed 10 Jun 2020, 08:46

/usr/sbin/mpscan
/usr/bin/pscan
/usr/bin/ipsort
/usr/bin/pnscan
root/packages/builtin_files/pnscan
root/packages/builtin_files/file_sharing-curlftpfs-mpscan

Tried a ClamwinScan as an alternative, Didn't find anything suspect in Artfulpup. I am guessing it will be the same in Tahrpup and Bionic.

that pscan file is a symbolic link to busybox, 703kb or 17bytes depending on where you look.

666philb · #7 Post by **666philb** » Wed 10 Jun 2020, 12:46

hi,
this was also mentioned on the bionicpup64 thread.

i think the 32bit pnscan in /usr/local/bin got into the distro by woofce grabbing the wrong peasyport.pet which includes pnscan.

interestingly the 64bit pnscan (which is the official ubuntu version) in /usr/bin is also detected as malware when uploaded to virustotal, although clamav misses it.

it seems that it can be used as a hacktool and is not malware in itself. see this post at pnscans github page https://github.com/ptrrkssn/pnscan/issues/2

bpuppy · #8 Post by **bpuppy** » Sat 13 Jun 2020, 22:16

This is indeed interesting.
Being so controversial, I wonder whether new Puppy derivatives should include it in their next versions...

rcrsn51 · #9 Post by **rcrsn51** » Tue 16 Jun 2020, 13:37

I have PeasyPort v3.1 in PET form which removes pnscan. If anyone wants to participate in testing, I will post it.

(old)Puppy Linux Discussion Forum

(old)Puppy Linux Discussion Forum

ClamAv reports a malware in /usr/local/bin/pnscan

ClamAv reports a malware in /usr/local/bin/pnscan

follow up