Threats found in /dev/fd

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












While trying to make sure I have no threats on my iMac I used Bitdefender to perform a full scan and I found this



enter image description here



Output of running ls -la in /dev/fd:



 ls -la
total 11
dr-xr-xr-x 1 root wheel 0 Nov 25 16:43 .
dr-xr-xr-x 3 root wheel 5426 Nov 25 16:43 ..
crw---w--- 1 ahmedyounes tty 16, 1 Nov 26 03:42 0
crw---w--- 1 ahmedyounes tty 16, 1 Nov 26 03:42 1
crw---w--- 1 ahmedyounes tty 16, 1 Nov 26 03:42 2
dr--r--r-- 1 root wheel 0 Nov 25 16:43 3
dr--r--r-- 1 root wheel 0 Nov 25 16:43 4
dr--r--r-- 1 root wheel 0 Nov 25 16:43 5


How can I clear this threat even its just .exe keygen?
What it may be the source of this threat?



Update after solving it thanks to Scott , duskwuff and JigglyNaga



it was strange that I couldn't delete it from my iMac until I went to Gmail from the website and found it.



enter image description here










share|improve this question























  • Repeating the question from Scott's answer: Is this system a mailserver? Is it used for email at all? The locations shown suggest that there are hundreds of thousands of messages, some of which are nearly a decade old.
    – JigglyNaga
    Nov 27 at 0:00










  • I have installed Thunderbird to download Gmail on my iMac, so I got all my old emails which there was keygen in some attachments as mentioned but I came to know that its just strings. I made a search on my web Gmail for such emails and nothing found.
    – ahmed younes
    Nov 27 at 0:46










  • What do you mean by "came to know that its just strings", and why do you think that makes it ignorable?
    – JigglyNaga
    Nov 27 at 10:09














up vote
0
down vote

favorite












While trying to make sure I have no threats on my iMac I used Bitdefender to perform a full scan and I found this



enter image description here



Output of running ls -la in /dev/fd:



 ls -la
total 11
dr-xr-xr-x 1 root wheel 0 Nov 25 16:43 .
dr-xr-xr-x 3 root wheel 5426 Nov 25 16:43 ..
crw---w--- 1 ahmedyounes tty 16, 1 Nov 26 03:42 0
crw---w--- 1 ahmedyounes tty 16, 1 Nov 26 03:42 1
crw---w--- 1 ahmedyounes tty 16, 1 Nov 26 03:42 2
dr--r--r-- 1 root wheel 0 Nov 25 16:43 3
dr--r--r-- 1 root wheel 0 Nov 25 16:43 4
dr--r--r-- 1 root wheel 0 Nov 25 16:43 5


How can I clear this threat even its just .exe keygen?
What it may be the source of this threat?



Update after solving it thanks to Scott , duskwuff and JigglyNaga



it was strange that I couldn't delete it from my iMac until I went to Gmail from the website and found it.



enter image description here










share|improve this question























  • Repeating the question from Scott's answer: Is this system a mailserver? Is it used for email at all? The locations shown suggest that there are hundreds of thousands of messages, some of which are nearly a decade old.
    – JigglyNaga
    Nov 27 at 0:00










  • I have installed Thunderbird to download Gmail on my iMac, so I got all my old emails which there was keygen in some attachments as mentioned but I came to know that its just strings. I made a search on my web Gmail for such emails and nothing found.
    – ahmed younes
    Nov 27 at 0:46










  • What do you mean by "came to know that its just strings", and why do you think that makes it ignorable?
    – JigglyNaga
    Nov 27 at 10:09












up vote
0
down vote

favorite









up vote
0
down vote

favorite











While trying to make sure I have no threats on my iMac I used Bitdefender to perform a full scan and I found this



enter image description here



Output of running ls -la in /dev/fd:



 ls -la
total 11
dr-xr-xr-x 1 root wheel 0 Nov 25 16:43 .
dr-xr-xr-x 3 root wheel 5426 Nov 25 16:43 ..
crw---w--- 1 ahmedyounes tty 16, 1 Nov 26 03:42 0
crw---w--- 1 ahmedyounes tty 16, 1 Nov 26 03:42 1
crw---w--- 1 ahmedyounes tty 16, 1 Nov 26 03:42 2
dr--r--r-- 1 root wheel 0 Nov 25 16:43 3
dr--r--r-- 1 root wheel 0 Nov 25 16:43 4
dr--r--r-- 1 root wheel 0 Nov 25 16:43 5


How can I clear this threat even its just .exe keygen?
What it may be the source of this threat?



Update after solving it thanks to Scott , duskwuff and JigglyNaga



it was strange that I couldn't delete it from my iMac until I went to Gmail from the website and found it.



enter image description here










share|improve this question















While trying to make sure I have no threats on my iMac I used Bitdefender to perform a full scan and I found this



enter image description here



Output of running ls -la in /dev/fd:



 ls -la
total 11
dr-xr-xr-x 1 root wheel 0 Nov 25 16:43 .
dr-xr-xr-x 3 root wheel 5426 Nov 25 16:43 ..
crw---w--- 1 ahmedyounes tty 16, 1 Nov 26 03:42 0
crw---w--- 1 ahmedyounes tty 16, 1 Nov 26 03:42 1
crw---w--- 1 ahmedyounes tty 16, 1 Nov 26 03:42 2
dr--r--r-- 1 root wheel 0 Nov 25 16:43 3
dr--r--r-- 1 root wheel 0 Nov 25 16:43 4
dr--r--r-- 1 root wheel 0 Nov 25 16:43 5


How can I clear this threat even its just .exe keygen?
What it may be the source of this threat?



Update after solving it thanks to Scott , duskwuff and JigglyNaga



it was strange that I couldn't delete it from my iMac until I went to Gmail from the website and found it.



enter image description here







osx malware






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 5 hours ago









Rui F Ribeiro

38.3k1477127




38.3k1477127










asked Nov 26 at 1:50









ahmed younes

133




133











  • Repeating the question from Scott's answer: Is this system a mailserver? Is it used for email at all? The locations shown suggest that there are hundreds of thousands of messages, some of which are nearly a decade old.
    – JigglyNaga
    Nov 27 at 0:00










  • I have installed Thunderbird to download Gmail on my iMac, so I got all my old emails which there was keygen in some attachments as mentioned but I came to know that its just strings. I made a search on my web Gmail for such emails and nothing found.
    – ahmed younes
    Nov 27 at 0:46










  • What do you mean by "came to know that its just strings", and why do you think that makes it ignorable?
    – JigglyNaga
    Nov 27 at 10:09
















  • Repeating the question from Scott's answer: Is this system a mailserver? Is it used for email at all? The locations shown suggest that there are hundreds of thousands of messages, some of which are nearly a decade old.
    – JigglyNaga
    Nov 27 at 0:00










  • I have installed Thunderbird to download Gmail on my iMac, so I got all my old emails which there was keygen in some attachments as mentioned but I came to know that its just strings. I made a search on my web Gmail for such emails and nothing found.
    – ahmed younes
    Nov 27 at 0:46










  • What do you mean by "came to know that its just strings", and why do you think that makes it ignorable?
    – JigglyNaga
    Nov 27 at 10:09















Repeating the question from Scott's answer: Is this system a mailserver? Is it used for email at all? The locations shown suggest that there are hundreds of thousands of messages, some of which are nearly a decade old.
– JigglyNaga
Nov 27 at 0:00




Repeating the question from Scott's answer: Is this system a mailserver? Is it used for email at all? The locations shown suggest that there are hundreds of thousands of messages, some of which are nearly a decade old.
– JigglyNaga
Nov 27 at 0:00












I have installed Thunderbird to download Gmail on my iMac, so I got all my old emails which there was keygen in some attachments as mentioned but I came to know that its just strings. I made a search on my web Gmail for such emails and nothing found.
– ahmed younes
Nov 27 at 0:46




I have installed Thunderbird to download Gmail on my iMac, so I got all my old emails which there was keygen in some attachments as mentioned but I came to know that its just strings. I made a search on my web Gmail for such emails and nothing found.
– ahmed younes
Nov 27 at 0:46












What do you mean by "came to know that its just strings", and why do you think that makes it ignorable?
– JigglyNaga
Nov 27 at 10:09




What do you mean by "came to know that its just strings", and why do you think that makes it ignorable?
– JigglyNaga
Nov 27 at 10:09










3 Answers
3






active

oldest

votes

















up vote
5
down vote



accepted











  1. I wouldn't say that this should be disregarded,
    but I agree with duskwuff that
    the presentation of the message is nonsense. 
    And I agree that, even if Bitdefender found something in /dev/fd/9,
    it was specific and localized to a process that was running at that instant,
    and you won't find anything in /dev/fd now. 
    I suggest that you



    • research "Salfeld.Child.Control", "BRDBRDkeygenKeygen.exe",
      and other strings from the messages, and

    • get another anti-virus product.


  2. The Bitdefender screen talks about "messages" and "Subject" lines. 
    Do you have email on your system? 
    Is there a message with Subject "child control"? 
    The problem might be there. 
    Be careful; if the message has attachments, do not open them.


  3. Your question title is wrong;
    there's nothing in your question about "tty". 
    The problem was reported in fd 9;
    the only ttys in your questions are file descriptors 0, 1 and 2.





share|improve this answer
















  • 4




    Re. 1: /dev/fd is specifically the file descriptors of the current process. Which, for Bitdefender, is Bitdefender itself. If it "found" something in there, it may be a false positive from its own virus description files.
    – duskwuff
    Nov 26 at 6:21






  • 1




    @duskwuff: Duh. Good point. I totally overlooked that.
    – Scott
    Nov 26 at 6:39










  • @duskwuff -- AV products have ways to avoid detecting their own description files (although they occasionally detect each other's). The process' "own descriptor" is likely to point to a temporary file that Bitdefender creates while scanning a mailbox. Two emails had that rar attachment, which includes an (alleged) keygen for Salfeld Child Control; that executable is what BitDefender believes to be malware.
    – JigglyNaga
    Nov 26 at 8:17

















up vote
5
down vote













This result is nonsense, and should be disregarded. There is something seriously wrong with this antivirus software.



The objects in /dev/fd on macOS are not files -- they represent the file descriptors which the current process has open. It makes no sense to "scan" a file descriptor for viruses, and makes even less sense to attempt to "quarantine" one.






share|improve this answer




















  • is there a way to delete/unlink/close this file descriptor? linux.die.net/man/2/close
    – ahmed younes
    Nov 26 at 2:02











  • No. The objects in that directory are not the same for every process, and are not permanently stored anywhere.
    – duskwuff
    Nov 26 at 2:05











  • so it's just strings ?! "keygen.exe"
    – ahmed younes
    Nov 26 at 2:07

















up vote
2
down vote













You downloaded your email archive, and the virus scanner scanned it and found malware inside some attachments.



Two emails had an attachment named Salfeld.Child.Control.2008.v9.975.0.0.rar, and inside that Rar archive there was a file named "Keygen.exe". The full directory name Salfeld.Child.Control.2008.v9.975.0.0.WinALL.Incl.Keygen-BRD suggests that this archive contained both Salfeld's "Child Control" product, and a key generator for it; the virus scanner believes that the "keygen" executable is actually malicious.



Now, for one reason or another, the virus scanner wasn't able to show you an absolute path to the file(s) in which it found a detection. This may have been because it was scanning the emails mid-download, before saving to disk; or it may have been because it was scanning an archive containing 10 years' worth of emails, and needed to (temporarily) extract them somewhere.



Either way, its fallback was to report the meaningless /dev/fd/<number> (which was only a valid file handle for the scanner process), followed by some more helpful details: email subject and date, the attachment name, and the filename within the Rar archive.



If you were to find that email, save the ".rar" attachment to disk and rescan it, or even extract the Rar and scan "keygen.exe" on its own, I expect you would see the same result: "Worm.generic.269236". If you don't understand what's happening here, I strongly recommend that you don't extract the archive, even on a Mac. Instead, if you have any doubts about this detection being correct (eg. you think the file really is a key generator and nothing more), you should contact the antivirus support directly.



(Full disclosure: I work for another antivirus company.)






share|improve this answer




















    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "106"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    convertImagesToLinks: false,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: null,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f484115%2fthreats-found-in-dev-fd%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    3 Answers
    3






    active

    oldest

    votes








    3 Answers
    3






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes








    up vote
    5
    down vote



    accepted











    1. I wouldn't say that this should be disregarded,
      but I agree with duskwuff that
      the presentation of the message is nonsense. 
      And I agree that, even if Bitdefender found something in /dev/fd/9,
      it was specific and localized to a process that was running at that instant,
      and you won't find anything in /dev/fd now. 
      I suggest that you



      • research "Salfeld.Child.Control", "BRDBRDkeygenKeygen.exe",
        and other strings from the messages, and

      • get another anti-virus product.


    2. The Bitdefender screen talks about "messages" and "Subject" lines. 
      Do you have email on your system? 
      Is there a message with Subject "child control"? 
      The problem might be there. 
      Be careful; if the message has attachments, do not open them.


    3. Your question title is wrong;
      there's nothing in your question about "tty". 
      The problem was reported in fd 9;
      the only ttys in your questions are file descriptors 0, 1 and 2.





    share|improve this answer
















    • 4




      Re. 1: /dev/fd is specifically the file descriptors of the current process. Which, for Bitdefender, is Bitdefender itself. If it "found" something in there, it may be a false positive from its own virus description files.
      – duskwuff
      Nov 26 at 6:21






    • 1




      @duskwuff: Duh. Good point. I totally overlooked that.
      – Scott
      Nov 26 at 6:39










    • @duskwuff -- AV products have ways to avoid detecting their own description files (although they occasionally detect each other's). The process' "own descriptor" is likely to point to a temporary file that Bitdefender creates while scanning a mailbox. Two emails had that rar attachment, which includes an (alleged) keygen for Salfeld Child Control; that executable is what BitDefender believes to be malware.
      – JigglyNaga
      Nov 26 at 8:17














    up vote
    5
    down vote



    accepted











    1. I wouldn't say that this should be disregarded,
      but I agree with duskwuff that
      the presentation of the message is nonsense. 
      And I agree that, even if Bitdefender found something in /dev/fd/9,
      it was specific and localized to a process that was running at that instant,
      and you won't find anything in /dev/fd now. 
      I suggest that you



      • research "Salfeld.Child.Control", "BRDBRDkeygenKeygen.exe",
        and other strings from the messages, and

      • get another anti-virus product.


    2. The Bitdefender screen talks about "messages" and "Subject" lines. 
      Do you have email on your system? 
      Is there a message with Subject "child control"? 
      The problem might be there. 
      Be careful; if the message has attachments, do not open them.


    3. Your question title is wrong;
      there's nothing in your question about "tty". 
      The problem was reported in fd 9;
      the only ttys in your questions are file descriptors 0, 1 and 2.





    share|improve this answer
















    • 4




      Re. 1: /dev/fd is specifically the file descriptors of the current process. Which, for Bitdefender, is Bitdefender itself. If it "found" something in there, it may be a false positive from its own virus description files.
      – duskwuff
      Nov 26 at 6:21






    • 1




      @duskwuff: Duh. Good point. I totally overlooked that.
      – Scott
      Nov 26 at 6:39










    • @duskwuff -- AV products have ways to avoid detecting their own description files (although they occasionally detect each other's). The process' "own descriptor" is likely to point to a temporary file that Bitdefender creates while scanning a mailbox. Two emails had that rar attachment, which includes an (alleged) keygen for Salfeld Child Control; that executable is what BitDefender believes to be malware.
      – JigglyNaga
      Nov 26 at 8:17












    up vote
    5
    down vote



    accepted







    up vote
    5
    down vote



    accepted







    1. I wouldn't say that this should be disregarded,
      but I agree with duskwuff that
      the presentation of the message is nonsense. 
      And I agree that, even if Bitdefender found something in /dev/fd/9,
      it was specific and localized to a process that was running at that instant,
      and you won't find anything in /dev/fd now. 
      I suggest that you



      • research "Salfeld.Child.Control", "BRDBRDkeygenKeygen.exe",
        and other strings from the messages, and

      • get another anti-virus product.


    2. The Bitdefender screen talks about "messages" and "Subject" lines. 
      Do you have email on your system? 
      Is there a message with Subject "child control"? 
      The problem might be there. 
      Be careful; if the message has attachments, do not open them.


    3. Your question title is wrong;
      there's nothing in your question about "tty". 
      The problem was reported in fd 9;
      the only ttys in your questions are file descriptors 0, 1 and 2.





    share|improve this answer













    1. I wouldn't say that this should be disregarded,
      but I agree with duskwuff that
      the presentation of the message is nonsense. 
      And I agree that, even if Bitdefender found something in /dev/fd/9,
      it was specific and localized to a process that was running at that instant,
      and you won't find anything in /dev/fd now. 
      I suggest that you



      • research "Salfeld.Child.Control", "BRDBRDkeygenKeygen.exe",
        and other strings from the messages, and

      • get another anti-virus product.


    2. The Bitdefender screen talks about "messages" and "Subject" lines. 
      Do you have email on your system? 
      Is there a message with Subject "child control"? 
      The problem might be there. 
      Be careful; if the message has attachments, do not open them.


    3. Your question title is wrong;
      there's nothing in your question about "tty". 
      The problem was reported in fd 9;
      the only ttys in your questions are file descriptors 0, 1 and 2.






    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Nov 26 at 4:40









    Scott

    6,77642650




    6,77642650







    • 4




      Re. 1: /dev/fd is specifically the file descriptors of the current process. Which, for Bitdefender, is Bitdefender itself. If it "found" something in there, it may be a false positive from its own virus description files.
      – duskwuff
      Nov 26 at 6:21






    • 1




      @duskwuff: Duh. Good point. I totally overlooked that.
      – Scott
      Nov 26 at 6:39










    • @duskwuff -- AV products have ways to avoid detecting their own description files (although they occasionally detect each other's). The process' "own descriptor" is likely to point to a temporary file that Bitdefender creates while scanning a mailbox. Two emails had that rar attachment, which includes an (alleged) keygen for Salfeld Child Control; that executable is what BitDefender believes to be malware.
      – JigglyNaga
      Nov 26 at 8:17












    • 4




      Re. 1: /dev/fd is specifically the file descriptors of the current process. Which, for Bitdefender, is Bitdefender itself. If it "found" something in there, it may be a false positive from its own virus description files.
      – duskwuff
      Nov 26 at 6:21






    • 1




      @duskwuff: Duh. Good point. I totally overlooked that.
      – Scott
      Nov 26 at 6:39










    • @duskwuff -- AV products have ways to avoid detecting their own description files (although they occasionally detect each other's). The process' "own descriptor" is likely to point to a temporary file that Bitdefender creates while scanning a mailbox. Two emails had that rar attachment, which includes an (alleged) keygen for Salfeld Child Control; that executable is what BitDefender believes to be malware.
      – JigglyNaga
      Nov 26 at 8:17







    4




    4




    Re. 1: /dev/fd is specifically the file descriptors of the current process. Which, for Bitdefender, is Bitdefender itself. If it "found" something in there, it may be a false positive from its own virus description files.
    – duskwuff
    Nov 26 at 6:21




    Re. 1: /dev/fd is specifically the file descriptors of the current process. Which, for Bitdefender, is Bitdefender itself. If it "found" something in there, it may be a false positive from its own virus description files.
    – duskwuff
    Nov 26 at 6:21




    1




    1




    @duskwuff: Duh. Good point. I totally overlooked that.
    – Scott
    Nov 26 at 6:39




    @duskwuff: Duh. Good point. I totally overlooked that.
    – Scott
    Nov 26 at 6:39












    @duskwuff -- AV products have ways to avoid detecting their own description files (although they occasionally detect each other's). The process' "own descriptor" is likely to point to a temporary file that Bitdefender creates while scanning a mailbox. Two emails had that rar attachment, which includes an (alleged) keygen for Salfeld Child Control; that executable is what BitDefender believes to be malware.
    – JigglyNaga
    Nov 26 at 8:17




    @duskwuff -- AV products have ways to avoid detecting their own description files (although they occasionally detect each other's). The process' "own descriptor" is likely to point to a temporary file that Bitdefender creates while scanning a mailbox. Two emails had that rar attachment, which includes an (alleged) keygen for Salfeld Child Control; that executable is what BitDefender believes to be malware.
    – JigglyNaga
    Nov 26 at 8:17












    up vote
    5
    down vote













    This result is nonsense, and should be disregarded. There is something seriously wrong with this antivirus software.



    The objects in /dev/fd on macOS are not files -- they represent the file descriptors which the current process has open. It makes no sense to "scan" a file descriptor for viruses, and makes even less sense to attempt to "quarantine" one.






    share|improve this answer




















    • is there a way to delete/unlink/close this file descriptor? linux.die.net/man/2/close
      – ahmed younes
      Nov 26 at 2:02











    • No. The objects in that directory are not the same for every process, and are not permanently stored anywhere.
      – duskwuff
      Nov 26 at 2:05











    • so it's just strings ?! "keygen.exe"
      – ahmed younes
      Nov 26 at 2:07














    up vote
    5
    down vote













    This result is nonsense, and should be disregarded. There is something seriously wrong with this antivirus software.



    The objects in /dev/fd on macOS are not files -- they represent the file descriptors which the current process has open. It makes no sense to "scan" a file descriptor for viruses, and makes even less sense to attempt to "quarantine" one.






    share|improve this answer




















    • is there a way to delete/unlink/close this file descriptor? linux.die.net/man/2/close
      – ahmed younes
      Nov 26 at 2:02











    • No. The objects in that directory are not the same for every process, and are not permanently stored anywhere.
      – duskwuff
      Nov 26 at 2:05











    • so it's just strings ?! "keygen.exe"
      – ahmed younes
      Nov 26 at 2:07












    up vote
    5
    down vote










    up vote
    5
    down vote









    This result is nonsense, and should be disregarded. There is something seriously wrong with this antivirus software.



    The objects in /dev/fd on macOS are not files -- they represent the file descriptors which the current process has open. It makes no sense to "scan" a file descriptor for viruses, and makes even less sense to attempt to "quarantine" one.






    share|improve this answer












    This result is nonsense, and should be disregarded. There is something seriously wrong with this antivirus software.



    The objects in /dev/fd on macOS are not files -- they represent the file descriptors which the current process has open. It makes no sense to "scan" a file descriptor for viruses, and makes even less sense to attempt to "quarantine" one.







    share|improve this answer












    share|improve this answer



    share|improve this answer










    answered Nov 26 at 1:54









    duskwuff

    27416




    27416











    • is there a way to delete/unlink/close this file descriptor? linux.die.net/man/2/close
      – ahmed younes
      Nov 26 at 2:02











    • No. The objects in that directory are not the same for every process, and are not permanently stored anywhere.
      – duskwuff
      Nov 26 at 2:05











    • so it's just strings ?! "keygen.exe"
      – ahmed younes
      Nov 26 at 2:07
















    • is there a way to delete/unlink/close this file descriptor? linux.die.net/man/2/close
      – ahmed younes
      Nov 26 at 2:02











    • No. The objects in that directory are not the same for every process, and are not permanently stored anywhere.
      – duskwuff
      Nov 26 at 2:05











    • so it's just strings ?! "keygen.exe"
      – ahmed younes
      Nov 26 at 2:07















    is there a way to delete/unlink/close this file descriptor? linux.die.net/man/2/close
    – ahmed younes
    Nov 26 at 2:02





    is there a way to delete/unlink/close this file descriptor? linux.die.net/man/2/close
    – ahmed younes
    Nov 26 at 2:02













    No. The objects in that directory are not the same for every process, and are not permanently stored anywhere.
    – duskwuff
    Nov 26 at 2:05





    No. The objects in that directory are not the same for every process, and are not permanently stored anywhere.
    – duskwuff
    Nov 26 at 2:05













    so it's just strings ?! "keygen.exe"
    – ahmed younes
    Nov 26 at 2:07




    so it's just strings ?! "keygen.exe"
    – ahmed younes
    Nov 26 at 2:07










    up vote
    2
    down vote













    You downloaded your email archive, and the virus scanner scanned it and found malware inside some attachments.



    Two emails had an attachment named Salfeld.Child.Control.2008.v9.975.0.0.rar, and inside that Rar archive there was a file named "Keygen.exe". The full directory name Salfeld.Child.Control.2008.v9.975.0.0.WinALL.Incl.Keygen-BRD suggests that this archive contained both Salfeld's "Child Control" product, and a key generator for it; the virus scanner believes that the "keygen" executable is actually malicious.



    Now, for one reason or another, the virus scanner wasn't able to show you an absolute path to the file(s) in which it found a detection. This may have been because it was scanning the emails mid-download, before saving to disk; or it may have been because it was scanning an archive containing 10 years' worth of emails, and needed to (temporarily) extract them somewhere.



    Either way, its fallback was to report the meaningless /dev/fd/<number> (which was only a valid file handle for the scanner process), followed by some more helpful details: email subject and date, the attachment name, and the filename within the Rar archive.



    If you were to find that email, save the ".rar" attachment to disk and rescan it, or even extract the Rar and scan "keygen.exe" on its own, I expect you would see the same result: "Worm.generic.269236". If you don't understand what's happening here, I strongly recommend that you don't extract the archive, even on a Mac. Instead, if you have any doubts about this detection being correct (eg. you think the file really is a key generator and nothing more), you should contact the antivirus support directly.



    (Full disclosure: I work for another antivirus company.)






    share|improve this answer
























      up vote
      2
      down vote













      You downloaded your email archive, and the virus scanner scanned it and found malware inside some attachments.



      Two emails had an attachment named Salfeld.Child.Control.2008.v9.975.0.0.rar, and inside that Rar archive there was a file named "Keygen.exe". The full directory name Salfeld.Child.Control.2008.v9.975.0.0.WinALL.Incl.Keygen-BRD suggests that this archive contained both Salfeld's "Child Control" product, and a key generator for it; the virus scanner believes that the "keygen" executable is actually malicious.



      Now, for one reason or another, the virus scanner wasn't able to show you an absolute path to the file(s) in which it found a detection. This may have been because it was scanning the emails mid-download, before saving to disk; or it may have been because it was scanning an archive containing 10 years' worth of emails, and needed to (temporarily) extract them somewhere.



      Either way, its fallback was to report the meaningless /dev/fd/<number> (which was only a valid file handle for the scanner process), followed by some more helpful details: email subject and date, the attachment name, and the filename within the Rar archive.



      If you were to find that email, save the ".rar" attachment to disk and rescan it, or even extract the Rar and scan "keygen.exe" on its own, I expect you would see the same result: "Worm.generic.269236". If you don't understand what's happening here, I strongly recommend that you don't extract the archive, even on a Mac. Instead, if you have any doubts about this detection being correct (eg. you think the file really is a key generator and nothing more), you should contact the antivirus support directly.



      (Full disclosure: I work for another antivirus company.)






      share|improve this answer






















        up vote
        2
        down vote










        up vote
        2
        down vote









        You downloaded your email archive, and the virus scanner scanned it and found malware inside some attachments.



        Two emails had an attachment named Salfeld.Child.Control.2008.v9.975.0.0.rar, and inside that Rar archive there was a file named "Keygen.exe". The full directory name Salfeld.Child.Control.2008.v9.975.0.0.WinALL.Incl.Keygen-BRD suggests that this archive contained both Salfeld's "Child Control" product, and a key generator for it; the virus scanner believes that the "keygen" executable is actually malicious.



        Now, for one reason or another, the virus scanner wasn't able to show you an absolute path to the file(s) in which it found a detection. This may have been because it was scanning the emails mid-download, before saving to disk; or it may have been because it was scanning an archive containing 10 years' worth of emails, and needed to (temporarily) extract them somewhere.



        Either way, its fallback was to report the meaningless /dev/fd/<number> (which was only a valid file handle for the scanner process), followed by some more helpful details: email subject and date, the attachment name, and the filename within the Rar archive.



        If you were to find that email, save the ".rar" attachment to disk and rescan it, or even extract the Rar and scan "keygen.exe" on its own, I expect you would see the same result: "Worm.generic.269236". If you don't understand what's happening here, I strongly recommend that you don't extract the archive, even on a Mac. Instead, if you have any doubts about this detection being correct (eg. you think the file really is a key generator and nothing more), you should contact the antivirus support directly.



        (Full disclosure: I work for another antivirus company.)






        share|improve this answer












        You downloaded your email archive, and the virus scanner scanned it and found malware inside some attachments.



        Two emails had an attachment named Salfeld.Child.Control.2008.v9.975.0.0.rar, and inside that Rar archive there was a file named "Keygen.exe". The full directory name Salfeld.Child.Control.2008.v9.975.0.0.WinALL.Incl.Keygen-BRD suggests that this archive contained both Salfeld's "Child Control" product, and a key generator for it; the virus scanner believes that the "keygen" executable is actually malicious.



        Now, for one reason or another, the virus scanner wasn't able to show you an absolute path to the file(s) in which it found a detection. This may have been because it was scanning the emails mid-download, before saving to disk; or it may have been because it was scanning an archive containing 10 years' worth of emails, and needed to (temporarily) extract them somewhere.



        Either way, its fallback was to report the meaningless /dev/fd/<number> (which was only a valid file handle for the scanner process), followed by some more helpful details: email subject and date, the attachment name, and the filename within the Rar archive.



        If you were to find that email, save the ".rar" attachment to disk and rescan it, or even extract the Rar and scan "keygen.exe" on its own, I expect you would see the same result: "Worm.generic.269236". If you don't understand what's happening here, I strongly recommend that you don't extract the archive, even on a Mac. Instead, if you have any doubts about this detection being correct (eg. you think the file really is a key generator and nothing more), you should contact the antivirus support directly.



        (Full disclosure: I work for another antivirus company.)







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 27 at 10:44









        JigglyNaga

        3,499828




        3,499828



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Unix & Linux Stack Exchange!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.





            Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


            Please pay close attention to the following guidance:


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f484115%2fthreats-found-in-dev-fd%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown






            Popular posts from this blog

            How to check contact read email or not when send email to Individual?

            Displaying single band from multi-band raster using QGIS

            How many registers does an x86_64 CPU actually have?