Threats found in /dev/fd
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
While trying to make sure I have no threats on my iMac I used Bitdefender to perform a full scan and I found this
Output of running ls -la in /dev/fd:
ls -la
total 11
dr-xr-xr-x 1 root wheel 0 Nov 25 16:43 .
dr-xr-xr-x 3 root wheel 5426 Nov 25 16:43 ..
crw---w--- 1 ahmedyounes tty 16, 1 Nov 26 03:42 0
crw---w--- 1 ahmedyounes tty 16, 1 Nov 26 03:42 1
crw---w--- 1 ahmedyounes tty 16, 1 Nov 26 03:42 2
dr--r--r-- 1 root wheel 0 Nov 25 16:43 3
dr--r--r-- 1 root wheel 0 Nov 25 16:43 4
dr--r--r-- 1 root wheel 0 Nov 25 16:43 5
How can I clear this threat even its just .exe keygen?
What it may be the source of this threat?
Update after solving it thanks to Scott , duskwuff and JigglyNaga
it was strange that I couldn't delete it from my iMac until I went to Gmail from the website and found it.
osx malware
edited 5 hours ago
Rui F Ribeiro
38.3k1477127
asked Nov 26 at 1:50
ahmed younes
133
add a comment |
up vote
0
down vote
favorite
While trying to make sure I have no threats on my iMac I used Bitdefender to perform a full scan and I found this
Output of running ls -la in /dev/fd:
ls -la
total 11
dr-xr-xr-x 1 root wheel 0 Nov 25 16:43 .
dr-xr-xr-x 3 root wheel 5426 Nov 25 16:43 ..
crw---w--- 1 ahmedyounes tty 16, 1 Nov 26 03:42 0
crw---w--- 1 ahmedyounes tty 16, 1 Nov 26 03:42 1
crw---w--- 1 ahmedyounes tty 16, 1 Nov 26 03:42 2
dr--r--r-- 1 root wheel 0 Nov 25 16:43 3
dr--r--r-- 1 root wheel 0 Nov 25 16:43 4
dr--r--r-- 1 root wheel 0 Nov 25 16:43 5
How can I clear this threat even its just .exe keygen?
What it may be the source of this threat?
Update after solving it thanks to Scott , duskwuff and JigglyNaga
it was strange that I couldn't delete it from my iMac until I went to Gmail from the website and found it.
osx malware
edited 5 hours ago
Rui F Ribeiro
38.3k1477127
asked Nov 26 at 1:50
ahmed younes
133
Repeating the question from Scott's answer: Is this system a mailserver? Is it used for email at all? The locations shown suggest that there are hundreds of thousands of messages, some of which are nearly a decade old.
– JigglyNaga
Nov 27 at 0:00
I have installed Thunderbird to download Gmail on my iMac, so I got all my old emails which there was keygen in some attachments as mentioned but I came to know that its just strings. I made a search on my web Gmail for such emails and nothing found.
– ahmed younes
Nov 27 at 0:46
What do you mean by "came to know that its just strings", and why do you think that makes it ignorable?
– JigglyNaga
Nov 27 at 10:09
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
While trying to make sure I have no threats on my iMac I used Bitdefender to perform a full scan and I found this
Output of running ls -la in /dev/fd:
ls -la
total 11
dr-xr-xr-x 1 root wheel 0 Nov 25 16:43 .
dr-xr-xr-x 3 root wheel 5426 Nov 25 16:43 ..
crw---w--- 1 ahmedyounes tty 16, 1 Nov 26 03:42 0
crw---w--- 1 ahmedyounes tty 16, 1 Nov 26 03:42 1
crw---w--- 1 ahmedyounes tty 16, 1 Nov 26 03:42 2
dr--r--r-- 1 root wheel 0 Nov 25 16:43 3
dr--r--r-- 1 root wheel 0 Nov 25 16:43 4
dr--r--r-- 1 root wheel 0 Nov 25 16:43 5
How can I clear this threat even its just .exe keygen?
What it may be the source of this threat?
Update after solving it thanks to Scott , duskwuff and JigglyNaga
it was strange that I couldn't delete it from my iMac until I went to Gmail from the website and found it.
osx malware
edited 5 hours ago
Rui F Ribeiro
38.3k1477127
asked Nov 26 at 1:50
ahmed younes
133
While trying to make sure I have no threats on my iMac I used Bitdefender to perform a full scan and I found this
Output of running ls -la in /dev/fd:
ls -la
total 11
dr-xr-xr-x 1 root wheel 0 Nov 25 16:43 .
dr-xr-xr-x 3 root wheel 5426 Nov 25 16:43 ..
crw---w--- 1 ahmedyounes tty 16, 1 Nov 26 03:42 0
crw---w--- 1 ahmedyounes tty 16, 1 Nov 26 03:42 1
crw---w--- 1 ahmedyounes tty 16, 1 Nov 26 03:42 2
dr--r--r-- 1 root wheel 0 Nov 25 16:43 3
dr--r--r-- 1 root wheel 0 Nov 25 16:43 4
dr--r--r-- 1 root wheel 0 Nov 25 16:43 5
How can I clear this threat even its just .exe keygen?
What it may be the source of this threat?
Update after solving it thanks to Scott , duskwuff and JigglyNaga
it was strange that I couldn't delete it from my iMac until I went to Gmail from the website and found it.
osx malware
osx malware
edited 5 hours ago
Rui F Ribeiro
38.3k1477127
asked Nov 26 at 1:50
ahmed younes
133
edited 5 hours ago
Rui F Ribeiro
38.3k1477127
asked Nov 26 at 1:50
ahmed younes
133
edited 5 hours ago
Rui F Ribeiro
38.3k1477127
edited 5 hours ago
Rui F Ribeiro
38.3k1477127
edited 5 hours ago
Rui F Ribeiro
38.3k1477127
38.3k1477127
asked Nov 26 at 1:50
ahmed younes
133
asked Nov 26 at 1:50
ahmed younes
133
asked Nov 26 at 1:50
ahmed younes
133
133
Repeating the question from Scott's answer: Is this system a mailserver? Is it used for email at all? The locations shown suggest that there are hundreds of thousands of messages, some of which are nearly a decade old.
– JigglyNaga
Nov 27 at 0:00
I have installed Thunderbird to download Gmail on my iMac, so I got all my old emails which there was keygen in some attachments as mentioned but I came to know that its just strings. I made a search on my web Gmail for such emails and nothing found.
– ahmed younes
Nov 27 at 0:46
What do you mean by "came to know that its just strings", and why do you think that makes it ignorable?
– JigglyNaga
Nov 27 at 10:09
add a comment |
Repeating the question from Scott's answer: Is this system a mailserver? Is it used for email at all? The locations shown suggest that there are hundreds of thousands of messages, some of which are nearly a decade old.
– JigglyNaga
Nov 27 at 0:00
I have installed Thunderbird to download Gmail on my iMac, so I got all my old emails which there was keygen in some attachments as mentioned but I came to know that its just strings. I made a search on my web Gmail for such emails and nothing found.
– ahmed younes
Nov 27 at 0:46
What do you mean by "came to know that its just strings", and why do you think that makes it ignorable?
– JigglyNaga
Nov 27 at 10:09
Repeating the question from Scott's answer: Is this system a mailserver? Is it used for email at all? The locations shown suggest that there are hundreds of thousands of messages, some of which are nearly a decade old.
– JigglyNaga
Nov 27 at 0:00
Repeating the question from Scott's answer: Is this system a mailserver? Is it used for email at all? The locations shown suggest that there are hundreds of thousands of messages, some of which are nearly a decade old.
– JigglyNaga
Nov 27 at 0:00
I have installed Thunderbird to download Gmail on my iMac, so I got all my old emails which there was keygen in some attachments as mentioned but I came to know that its just strings. I made a search on my web Gmail for such emails and nothing found.
– ahmed younes
Nov 27 at 0:46
I have installed Thunderbird to download Gmail on my iMac, so I got all my old emails which there was keygen in some attachments as mentioned but I came to know that its just strings. I made a search on my web Gmail for such emails and nothing found.
– ahmed younes
Nov 27 at 0:46
What do you mean by "came to know that its just strings", and why do you think that makes it ignorable?
– JigglyNaga
Nov 27 at 10:09
What do you mean by "came to know that its just strings", and why do you think that makes it ignorable?
– JigglyNaga
Nov 27 at 10:09
add a comment |
3 Answers
3
active
oldest
votes
up vote
5
down vote
accepted
I wouldn't say that this should be disregarded,
but I agree with duskwuff that
the presentation of the message is nonsense.
And I agree that, even if Bitdefender found something in/dev/fd/9,
it was specific and localized to a process that was running at that instant,
and you won't find anything in/dev/fdnow.
I suggest that you- research "Salfeld.Child.Control", "BRDBRDkeygenKeygen.exe",
and other strings from the messages, and - get another anti-virus product.
- research "Salfeld.Child.Control", "BRDBRDkeygenKeygen.exe",
The Bitdefender screen talks about "messages" and "Subject" lines.
Do you have email on your system?
Is there a message with Subject "child control"?
The problem might be there.
Be careful; if the message has attachments, do not open them.- Your question title is wrong;
there's nothing in your question about "tty".
The problem was reported in fd 9;
the only ttys in your questions are file descriptors 0, 1 and 2.
answered Nov 26 at 4:40
Scott
6,77642650
4
Re. 1:/dev/fdis specifically the file descriptors of the current process. Which, for Bitdefender, is Bitdefender itself. If it "found" something in there, it may be a false positive from its own virus description files.
– duskwuff
Nov 26 at 6:21
1
@duskwuff: Duh. Good point. I totally overlooked that.
– Scott
Nov 26 at 6:39
@duskwuff -- AV products have ways to avoid detecting their own description files (although they occasionally detect each other's). The process' "own descriptor" is likely to point to a temporary file that Bitdefender creates while scanning a mailbox. Two emails had that rar attachment, which includes an (alleged) keygen for Salfeld Child Control; that executable is what BitDefender believes to be malware.
– JigglyNaga
Nov 26 at 8:17
add a comment |
up vote
5
down vote
This result is nonsense, and should be disregarded. There is something seriously wrong with this antivirus software.
The objects in /dev/fd on macOS are not files -- they represent the file descriptors which the current process has open. It makes no sense to "scan" a file descriptor for viruses, and makes even less sense to attempt to "quarantine" one.
answered Nov 26 at 1:54
duskwuff
27416
is there a way to delete/unlink/close this file descriptor? linux.die.net/man/2/close
– ahmed younes
Nov 26 at 2:02
No. The objects in that directory are not the same for every process, and are not permanently stored anywhere.
– duskwuff
Nov 26 at 2:05
so it's just strings ?! "keygen.exe"
– ahmed younes
Nov 26 at 2:07
add a comment |
up vote
2
down vote
You downloaded your email archive, and the virus scanner scanned it and found malware inside some attachments.
Two emails had an attachment named Salfeld.Child.Control.2008.v9.975.0.0.rar, and inside that Rar archive there was a file named "Keygen.exe". The full directory name Salfeld.Child.Control.2008.v9.975.0.0.WinALL.Incl.Keygen-BRD suggests that this archive contained both Salfeld's "Child Control" product, and a key generator for it; the virus scanner believes that the "keygen" executable is actually malicious.
Now, for one reason or another, the virus scanner wasn't able to show you an absolute path to the file(s) in which it found a detection. This may have been because it was scanning the emails mid-download, before saving to disk; or it may have been because it was scanning an archive containing 10 years' worth of emails, and needed to (temporarily) extract them somewhere.
Either way, its fallback was to report the meaningless /dev/fd/<number> (which was only a valid file handle for the scanner process), followed by some more helpful details: email subject and date, the attachment name, and the filename within the Rar archive.
If you were to find that email, save the ".rar" attachment to disk and rescan it, or even extract the Rar and scan "keygen.exe" on its own, I expect you would see the same result: "Worm.generic.269236". If you don't understand what's happening here, I strongly recommend that you don't extract the archive, even on a Mac. Instead, if you have any doubts about this detection being correct (eg. you think the file really is a key generator and nothing more), you should contact the antivirus support directly.
(Full disclosure: I work for another antivirus company.)
answered Nov 27 at 10:44
JigglyNaga
3,499828
add a comment |
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
5
down vote
accepted
I wouldn't say that this should be disregarded,
but I agree with duskwuff that
the presentation of the message is nonsense.
And I agree that, even if Bitdefender found something in/dev/fd/9,
it was specific and localized to a process that was running at that instant,
and you won't find anything in/dev/fdnow.
I suggest that you- research "Salfeld.Child.Control", "BRDBRDkeygenKeygen.exe",
and other strings from the messages, and - get another anti-virus product.
- research "Salfeld.Child.Control", "BRDBRDkeygenKeygen.exe",
The Bitdefender screen talks about "messages" and "Subject" lines.
Do you have email on your system?
Is there a message with Subject "child control"?
The problem might be there.
Be careful; if the message has attachments, do not open them.- Your question title is wrong;
there's nothing in your question about "tty".
The problem was reported in fd 9;
the only ttys in your questions are file descriptors 0, 1 and 2.
answered Nov 26 at 4:40
Scott
6,77642650
4
Re. 1:/dev/fdis specifically the file descriptors of the current process. Which, for Bitdefender, is Bitdefender itself. If it "found" something in there, it may be a false positive from its own virus description files.
– duskwuff
Nov 26 at 6:21
1
@duskwuff: Duh. Good point. I totally overlooked that.
– Scott
Nov 26 at 6:39
@duskwuff -- AV products have ways to avoid detecting their own description files (although they occasionally detect each other's). The process' "own descriptor" is likely to point to a temporary file that Bitdefender creates while scanning a mailbox. Two emails had that rar attachment, which includes an (alleged) keygen for Salfeld Child Control; that executable is what BitDefender believes to be malware.
– JigglyNaga
Nov 26 at 8:17
add a comment |
up vote
5
down vote
accepted
I wouldn't say that this should be disregarded,
but I agree with duskwuff that
the presentation of the message is nonsense.
And I agree that, even if Bitdefender found something in/dev/fd/9,
it was specific and localized to a process that was running at that instant,
and you won't find anything in/dev/fdnow.
I suggest that you- research "Salfeld.Child.Control", "BRDBRDkeygenKeygen.exe",
and other strings from the messages, and - get another anti-virus product.
- research "Salfeld.Child.Control", "BRDBRDkeygenKeygen.exe",
The Bitdefender screen talks about "messages" and "Subject" lines.
Do you have email on your system?
Is there a message with Subject "child control"?
The problem might be there.
Be careful; if the message has attachments, do not open them.- Your question title is wrong;
there's nothing in your question about "tty".
The problem was reported in fd 9;
the only ttys in your questions are file descriptors 0, 1 and 2.
answered Nov 26 at 4:40
Scott
6,77642650
4
Re. 1:/dev/fdis specifically the file descriptors of the current process. Which, for Bitdefender, is Bitdefender itself. If it "found" something in there, it may be a false positive from its own virus description files.
– duskwuff
Nov 26 at 6:21
1
@duskwuff: Duh. Good point. I totally overlooked that.
– Scott
Nov 26 at 6:39
@duskwuff -- AV products have ways to avoid detecting their own description files (although they occasionally detect each other's). The process' "own descriptor" is likely to point to a temporary file that Bitdefender creates while scanning a mailbox. Two emails had that rar attachment, which includes an (alleged) keygen for Salfeld Child Control; that executable is what BitDefender believes to be malware.
– JigglyNaga
Nov 26 at 8:17
add a comment |
up vote
5
down vote
accepted
up vote
5
down vote
accepted
I wouldn't say that this should be disregarded,
but I agree with duskwuff that
the presentation of the message is nonsense.
And I agree that, even if Bitdefender found something in/dev/fd/9,
it was specific and localized to a process that was running at that instant,
and you won't find anything in/dev/fdnow.
I suggest that you- research "Salfeld.Child.Control", "BRDBRDkeygenKeygen.exe",
and other strings from the messages, and - get another anti-virus product.
- research "Salfeld.Child.Control", "BRDBRDkeygenKeygen.exe",
The Bitdefender screen talks about "messages" and "Subject" lines.
Do you have email on your system?
Is there a message with Subject "child control"?
The problem might be there.
Be careful; if the message has attachments, do not open them.- Your question title is wrong;
there's nothing in your question about "tty".
The problem was reported in fd 9;
the only ttys in your questions are file descriptors 0, 1 and 2.
answered Nov 26 at 4:40
Scott
6,77642650
I wouldn't say that this should be disregarded,
but I agree with duskwuff that
the presentation of the message is nonsense.
And I agree that, even if Bitdefender found something in/dev/fd/9,
it was specific and localized to a process that was running at that instant,
and you won't find anything in/dev/fdnow.
I suggest that you- research "Salfeld.Child.Control", "BRDBRDkeygenKeygen.exe",
and other strings from the messages, and - get another anti-virus product.
- research "Salfeld.Child.Control", "BRDBRDkeygenKeygen.exe",
The Bitdefender screen talks about "messages" and "Subject" lines.
Do you have email on your system?
Is there a message with Subject "child control"?
The problem might be there.
Be careful; if the message has attachments, do not open them.- Your question title is wrong;
there's nothing in your question about "tty".
The problem was reported in fd 9;
the only ttys in your questions are file descriptors 0, 1 and 2.
answered Nov 26 at 4:40
Scott
6,77642650
answered Nov 26 at 4:40
Scott
6,77642650
answered Nov 26 at 4:40
Scott
6,77642650
answered Nov 26 at 4:40
Scott
6,77642650
6,77642650
4
Re. 1:/dev/fdis specifically the file descriptors of the current process. Which, for Bitdefender, is Bitdefender itself. If it "found" something in there, it may be a false positive from its own virus description files.
– duskwuff
Nov 26 at 6:21
1
@duskwuff: Duh. Good point. I totally overlooked that.
– Scott
Nov 26 at 6:39
@duskwuff -- AV products have ways to avoid detecting their own description files (although they occasionally detect each other's). The process' "own descriptor" is likely to point to a temporary file that Bitdefender creates while scanning a mailbox. Two emails had that rar attachment, which includes an (alleged) keygen for Salfeld Child Control; that executable is what BitDefender believes to be malware.
– JigglyNaga
Nov 26 at 8:17
add a comment |
4
Re. 1:/dev/fdis specifically the file descriptors of the current process. Which, for Bitdefender, is Bitdefender itself. If it "found" something in there, it may be a false positive from its own virus description files.
– duskwuff
Nov 26 at 6:21
1
@duskwuff: Duh. Good point. I totally overlooked that.
– Scott
Nov 26 at 6:39
@duskwuff -- AV products have ways to avoid detecting their own description files (although they occasionally detect each other's). The process' "own descriptor" is likely to point to a temporary file that Bitdefender creates while scanning a mailbox. Two emails had that rar attachment, which includes an (alleged) keygen for Salfeld Child Control; that executable is what BitDefender believes to be malware.
– JigglyNaga
Nov 26 at 8:17
4
4
Re. 1:
/dev/fd is specifically the file descriptors of the current process. Which, for Bitdefender, is Bitdefender itself. If it "found" something in there, it may be a false positive from its own virus description files.– duskwuff
Nov 26 at 6:21
Re. 1:
/dev/fd is specifically the file descriptors of the current process. Which, for Bitdefender, is Bitdefender itself. If it "found" something in there, it may be a false positive from its own virus description files.– duskwuff
Nov 26 at 6:21
1
1
@duskwuff: Duh. Good point. I totally overlooked that.
– Scott
Nov 26 at 6:39
@duskwuff: Duh. Good point. I totally overlooked that.
– Scott
Nov 26 at 6:39
@duskwuff -- AV products have ways to avoid detecting their own description files (although they occasionally detect each other's). The process' "own descriptor" is likely to point to a temporary file that Bitdefender creates while scanning a mailbox. Two emails had that rar attachment, which includes an (alleged) keygen for Salfeld Child Control; that executable is what BitDefender believes to be malware.
– JigglyNaga
Nov 26 at 8:17
@duskwuff -- AV products have ways to avoid detecting their own description files (although they occasionally detect each other's). The process' "own descriptor" is likely to point to a temporary file that Bitdefender creates while scanning a mailbox. Two emails had that rar attachment, which includes an (alleged) keygen for Salfeld Child Control; that executable is what BitDefender believes to be malware.
– JigglyNaga
Nov 26 at 8:17
add a comment |
up vote
5
down vote
This result is nonsense, and should be disregarded. There is something seriously wrong with this antivirus software.
The objects in /dev/fd on macOS are not files -- they represent the file descriptors which the current process has open. It makes no sense to "scan" a file descriptor for viruses, and makes even less sense to attempt to "quarantine" one.
answered Nov 26 at 1:54
duskwuff
27416
is there a way to delete/unlink/close this file descriptor? linux.die.net/man/2/close
– ahmed younes
Nov 26 at 2:02
No. The objects in that directory are not the same for every process, and are not permanently stored anywhere.
– duskwuff
Nov 26 at 2:05
so it's just strings ?! "keygen.exe"
– ahmed younes
Nov 26 at 2:07
add a comment |
up vote
5
down vote
This result is nonsense, and should be disregarded. There is something seriously wrong with this antivirus software.
The objects in /dev/fd on macOS are not files -- they represent the file descriptors which the current process has open. It makes no sense to "scan" a file descriptor for viruses, and makes even less sense to attempt to "quarantine" one.
answered Nov 26 at 1:54
duskwuff
27416
is there a way to delete/unlink/close this file descriptor? linux.die.net/man/2/close
– ahmed younes
Nov 26 at 2:02
No. The objects in that directory are not the same for every process, and are not permanently stored anywhere.
– duskwuff
Nov 26 at 2:05
so it's just strings ?! "keygen.exe"
– ahmed younes
Nov 26 at 2:07
add a comment |
up vote
5
down vote
up vote
5
down vote
This result is nonsense, and should be disregarded. There is something seriously wrong with this antivirus software.
The objects in /dev/fd on macOS are not files -- they represent the file descriptors which the current process has open. It makes no sense to "scan" a file descriptor for viruses, and makes even less sense to attempt to "quarantine" one.
answered Nov 26 at 1:54
duskwuff
27416
This result is nonsense, and should be disregarded. There is something seriously wrong with this antivirus software.
The objects in /dev/fd on macOS are not files -- they represent the file descriptors which the current process has open. It makes no sense to "scan" a file descriptor for viruses, and makes even less sense to attempt to "quarantine" one.
answered Nov 26 at 1:54
duskwuff
27416
answered Nov 26 at 1:54
duskwuff
27416
answered Nov 26 at 1:54
duskwuff
27416
answered Nov 26 at 1:54
duskwuff
27416
27416
is there a way to delete/unlink/close this file descriptor? linux.die.net/man/2/close
– ahmed younes
Nov 26 at 2:02
No. The objects in that directory are not the same for every process, and are not permanently stored anywhere.
– duskwuff
Nov 26 at 2:05
so it's just strings ?! "keygen.exe"
– ahmed younes
Nov 26 at 2:07
add a comment |
is there a way to delete/unlink/close this file descriptor? linux.die.net/man/2/close
– ahmed younes
Nov 26 at 2:02
No. The objects in that directory are not the same for every process, and are not permanently stored anywhere.
– duskwuff
Nov 26 at 2:05
so it's just strings ?! "keygen.exe"
– ahmed younes
Nov 26 at 2:07
is there a way to delete/unlink/close this file descriptor? linux.die.net/man/2/close
– ahmed younes
Nov 26 at 2:02
is there a way to delete/unlink/close this file descriptor? linux.die.net/man/2/close
– ahmed younes
Nov 26 at 2:02
No. The objects in that directory are not the same for every process, and are not permanently stored anywhere.
– duskwuff
Nov 26 at 2:05
No. The objects in that directory are not the same for every process, and are not permanently stored anywhere.
– duskwuff
Nov 26 at 2:05
so it's just strings ?! "keygen.exe"
– ahmed younes
Nov 26 at 2:07
so it's just strings ?! "keygen.exe"
– ahmed younes
Nov 26 at 2:07
add a comment |
up vote
2
down vote
You downloaded your email archive, and the virus scanner scanned it and found malware inside some attachments.
Two emails had an attachment named Salfeld.Child.Control.2008.v9.975.0.0.rar, and inside that Rar archive there was a file named "Keygen.exe". The full directory name Salfeld.Child.Control.2008.v9.975.0.0.WinALL.Incl.Keygen-BRD suggests that this archive contained both Salfeld's "Child Control" product, and a key generator for it; the virus scanner believes that the "keygen" executable is actually malicious.
Now, for one reason or another, the virus scanner wasn't able to show you an absolute path to the file(s) in which it found a detection. This may have been because it was scanning the emails mid-download, before saving to disk; or it may have been because it was scanning an archive containing 10 years' worth of emails, and needed to (temporarily) extract them somewhere.
Either way, its fallback was to report the meaningless /dev/fd/<number> (which was only a valid file handle for the scanner process), followed by some more helpful details: email subject and date, the attachment name, and the filename within the Rar archive.
If you were to find that email, save the ".rar" attachment to disk and rescan it, or even extract the Rar and scan "keygen.exe" on its own, I expect you would see the same result: "Worm.generic.269236". If you don't understand what's happening here, I strongly recommend that you don't extract the archive, even on a Mac. Instead, if you have any doubts about this detection being correct (eg. you think the file really is a key generator and nothing more), you should contact the antivirus support directly.
(Full disclosure: I work for another antivirus company.)
answered Nov 27 at 10:44
JigglyNaga
3,499828
add a comment |
up vote
2
down vote
You downloaded your email archive, and the virus scanner scanned it and found malware inside some attachments.
Two emails had an attachment named Salfeld.Child.Control.2008.v9.975.0.0.rar, and inside that Rar archive there was a file named "Keygen.exe". The full directory name Salfeld.Child.Control.2008.v9.975.0.0.WinALL.Incl.Keygen-BRD suggests that this archive contained both Salfeld's "Child Control" product, and a key generator for it; the virus scanner believes that the "keygen" executable is actually malicious.
Now, for one reason or another, the virus scanner wasn't able to show you an absolute path to the file(s) in which it found a detection. This may have been because it was scanning the emails mid-download, before saving to disk; or it may have been because it was scanning an archive containing 10 years' worth of emails, and needed to (temporarily) extract them somewhere.
Either way, its fallback was to report the meaningless /dev/fd/<number> (which was only a valid file handle for the scanner process), followed by some more helpful details: email subject and date, the attachment name, and the filename within the Rar archive.
If you were to find that email, save the ".rar" attachment to disk and rescan it, or even extract the Rar and scan "keygen.exe" on its own, I expect you would see the same result: "Worm.generic.269236". If you don't understand what's happening here, I strongly recommend that you don't extract the archive, even on a Mac. Instead, if you have any doubts about this detection being correct (eg. you think the file really is a key generator and nothing more), you should contact the antivirus support directly.
(Full disclosure: I work for another antivirus company.)
answered Nov 27 at 10:44
JigglyNaga
3,499828
add a comment |
up vote
2
down vote
up vote
2
down vote
You downloaded your email archive, and the virus scanner scanned it and found malware inside some attachments.
Two emails had an attachment named Salfeld.Child.Control.2008.v9.975.0.0.rar, and inside that Rar archive there was a file named "Keygen.exe". The full directory name Salfeld.Child.Control.2008.v9.975.0.0.WinALL.Incl.Keygen-BRD suggests that this archive contained both Salfeld's "Child Control" product, and a key generator for it; the virus scanner believes that the "keygen" executable is actually malicious.
Now, for one reason or another, the virus scanner wasn't able to show you an absolute path to the file(s) in which it found a detection. This may have been because it was scanning the emails mid-download, before saving to disk; or it may have been because it was scanning an archive containing 10 years' worth of emails, and needed to (temporarily) extract them somewhere.
Either way, its fallback was to report the meaningless /dev/fd/<number> (which was only a valid file handle for the scanner process), followed by some more helpful details: email subject and date, the attachment name, and the filename within the Rar archive.
If you were to find that email, save the ".rar" attachment to disk and rescan it, or even extract the Rar and scan "keygen.exe" on its own, I expect you would see the same result: "Worm.generic.269236". If you don't understand what's happening here, I strongly recommend that you don't extract the archive, even on a Mac. Instead, if you have any doubts about this detection being correct (eg. you think the file really is a key generator and nothing more), you should contact the antivirus support directly.
(Full disclosure: I work for another antivirus company.)
answered Nov 27 at 10:44
JigglyNaga
3,499828
You downloaded your email archive, and the virus scanner scanned it and found malware inside some attachments.
Two emails had an attachment named Salfeld.Child.Control.2008.v9.975.0.0.rar, and inside that Rar archive there was a file named "Keygen.exe". The full directory name Salfeld.Child.Control.2008.v9.975.0.0.WinALL.Incl.Keygen-BRD suggests that this archive contained both Salfeld's "Child Control" product, and a key generator for it; the virus scanner believes that the "keygen" executable is actually malicious.
Now, for one reason or another, the virus scanner wasn't able to show you an absolute path to the file(s) in which it found a detection. This may have been because it was scanning the emails mid-download, before saving to disk; or it may have been because it was scanning an archive containing 10 years' worth of emails, and needed to (temporarily) extract them somewhere.
Either way, its fallback was to report the meaningless /dev/fd/<number> (which was only a valid file handle for the scanner process), followed by some more helpful details: email subject and date, the attachment name, and the filename within the Rar archive.
If you were to find that email, save the ".rar" attachment to disk and rescan it, or even extract the Rar and scan "keygen.exe" on its own, I expect you would see the same result: "Worm.generic.269236". If you don't understand what's happening here, I strongly recommend that you don't extract the archive, even on a Mac. Instead, if you have any doubts about this detection being correct (eg. you think the file really is a key generator and nothing more), you should contact the antivirus support directly.
(Full disclosure: I work for another antivirus company.)
answered Nov 27 at 10:44
JigglyNaga
3,499828
answered Nov 27 at 10:44
JigglyNaga
3,499828
answered Nov 27 at 10:44
JigglyNaga
3,499828
answered Nov 27 at 10:44
JigglyNaga
3,499828
3,499828
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f484115%2fthreats-found-in-dev-fd%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Repeating the question from Scott's answer: Is this system a mailserver? Is it used for email at all? The locations shown suggest that there are hundreds of thousands of messages, some of which are nearly a decade old.
– JigglyNaga
Nov 27 at 0:00
I have installed Thunderbird to download Gmail on my iMac, so I got all my old emails which there was keygen in some attachments as mentioned but I came to know that its just strings. I made a search on my web Gmail for such emails and nothing found.
– ahmed younes
Nov 27 at 0:46
What do you mean by "came to know that its just strings", and why do you think that makes it ignorable?
– JigglyNaga
Nov 27 at 10:09