Re: Re: Virus and file /proc/kcore
Once upon a time email@example.com said...
> I have rebooted the system. It still comes up with this file being
> HUGE and when I do a 'df' it shows that partition to be 100% full.
The 100% full will be because of something else. Files in the /proc
filesystem are not on the root partition (they are not on disk at all -
the files are all virtual, presenting information about the system as it
is currently running).
> I know that it is only about 45% full the other day.
Something else must have filled it up. Do you have a separate /var
partition? If not, check /var/tmp for stray files that can be deleted.
/tmp also, but that should be cleared automatically on boot.
> When I run f-prot again with -auto -delete it doesn't
> find any virus. If I do it with -noheur it finds the W32. I have to
> read a bit more to understand the ins and outs of this.
I think the virus scanner is picking up itself in the memory image. For
the scanner to be able to detect a virus signature, it must contain the
virus signature in its own code. When f-prot looks in /proc/kcore, it
sees its own memory (as well as other memory), and sees the virus
signatures, fooling it into thinking it has found a virus.
> Another thing. I have a seperate /usr partition. Can I wipe the /
> partition and reinstall it without changing the other partition?
I dont think it is necessary for you to wipe any partitions. From what
you have said so far, it is unlikely you have a virus. Instead look
around your root filesystem for the file that is taking up all your
space (it will NOT be in /proc).
Hope this helps.
Cameron Hutchison (firstname.lastname@example.org) | Onward To Mars