On Fri, Oct 15, 2004 at 10:16:42PM +0200, R. Schmidt wrote:
after applying the latest McAfee virusscan signature, I had to discover that VirusScan claimed
/usr/sbin/tickeradj
beeing infected with Linux/Rootkit-Dica.dam.
".dam" is a vendor-specific suffix used by McAfee to indicate a "damaged file" (a file that is damaged or corrupted by an infection).
I wonder if this is a false positive alert or if it is really infected.
So why don't you ask your av vendor first to get a qualified answer ? Send the suspected file in a password-protected zip-archive (with password "infected") to virus_research@nai.com so they can analyse this file (and possibly correct their virus definitions). Further instructions can be found under http://vil.nai.com/vil/submit-sample.asp If you can verify that the file in question is unmodified (in regard to the official suse version), I think it is most likely to be a false positive. But that is of course just a guess and no qualified answer :-) -- Michel Messerschmidt lists@michel-messerschmidt.de antiVirusTestCenter, Computer Science, University of Hamburg