Clamscan reports Unix.Tool.Pnscan-8031486-0 in 1.12+git20180612-2 pnscan version

Hello, my guess is clamav is helpfully pointing out that the program exists at all; I doubt it has any intelligence beyond looking for a few markers for pnscan within files named pnscan.

Diagnosing load issues takes a bit of work; I suggest starting with https://www.brendangregg.com/blog/2015-12-03/linux-perf-60s-video.html to get a feeling of useful steps to take.

Thanks

Hi,

I'm familiar with Brendan Gregg, although I haven't been following him
closely. I have admired his work and sometimes I regret not buying his
books yet.

If you have the impression that my concern is with some load issue, let me
clarify. I have not been using pnscan for any purpose. I just saw that it
was described as a multi-threaded port scanner, and thought it might be
useful in my work someday. I encountered the clamscan flag of pnscan when
I was investigating why memory and swap usage were becoming unusually high
on one of my systems. I don't see any reason to have certainty that pnscan
has anything to do with that problem. I didn't see it in the process
table, anyway. But I was uneasy when I saw this result. And more uneasy
when clamscan had the same complaint with a fresh install of pnscan from
the repository.

One thing I didn't mention in the original submission is that when I
researched the clamscan complaint while pnscan was still installed (by
looking for "Unix.Tool.Pnscan-8031486-0"), a weird graphic appeared on the
screen of a frog (I think it was a frog) with big smile, holding a fishing
pole with a line in a hole (ice hole?). That was freaky and unnerving.
When I repeated this search (several times) after pnscan was purged, I no
longer saw this graphic.

 Now, it's rational that some malware might incorporate code from pnscan
for its own purposes, and maybe that's what clamscan wants to be looking
for, but if clamscan doesn't incorporate any mechanism to distinguish
between that malware and pnscan, then confusion results. If you haven't
contacted the clamav folks on this point, I'll do that.

On Tue, Apr 19, 2022 at 8:35 PM Seth Arnold <email address hidden>
wrote:

> Hello, my guess is clamav is helpfully pointing out that the program
> exists at all; I doubt it has any intelligence beyond looking for a few
> markers for pnscan within files named pnscan.
>
> Diagnosing load issues takes a bit of work; I suggest starting with
> https://www.brendangregg.com/blog/2015-12-03/linux-perf-60s-video.html
> to get a feeling of useful steps to take.
>
> Thanks
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1968806
>
> Title:
> Clamscan reports Unix.Tool.Pnscan-8031486-0 in 1.12+git20180612-2
> pnscan version
>
> Status in pnscan package in Ubuntu:
> Incomplete
>
> Bug description:
> My system showed unusually high memory and swap usage for a few weeks,
> also occasional lags in situations when it was always brisk before. I
> naturally ran clamscan to check. Pnscan was flagged as containing the
> malware. I removed and purged pnscan, and continued to scan for
> anything else out of line. Saw nothing else, and rebooted. Memory
> and swap usage was normal for several hours. Then I reinstalled
> pnscan from the repository. Clamscan reported
> Unix.Tool.Pnscan-8031486-0 in pnscan again. So I removed and purged
> pnscan again.
>
> I recognize that clamscan could be misleading here, but I never saw
> this report before, and it's clear that my memory and swap issues
> haven't returned.
>
> I'm going to su...

But maybe you're thinking that there's malware which loads pnscan? If so,
that's different. At the same time I'd be hesitant to reinstall pnscan to
investigate that.

On Tue, Apr 19, 2022 at 9:29 PM Bob Presswood <email address hidden> wrote:

> Hi,
>
> I'm familiar with Brendan Gregg, although I haven't been following him
> closely. I have admired his work and sometimes I regret not buying his
> books yet.
>
> If you have the impression that my concern is with some load issue, let me
> clarify. I have not been using pnscan for any purpose. I just saw that it
> was described as a multi-threaded port scanner, and thought it might be
> useful in my work someday. I encountered the clamscan flag of pnscan when
> I was investigating why memory and swap usage were becoming unusually high
> on one of my systems. I don't see any reason to have certainty that pnscan
> has anything to do with that problem. I didn't see it in the process
> table, anyway. But I was uneasy when I saw this result. And more uneasy
> when clamscan had the same complaint with a fresh install of pnscan from
> the repository.
>
> One thing I didn't mention in the original submission is that when I
> researched the clamscan complaint while pnscan was still installed (by
> looking for "Unix.Tool.Pnscan-8031486-0"), a weird graphic appeared on the
> screen of a frog (I think it was a frog) with big smile, holding a fishing
> pole with a line in a hole (ice hole?). That was freaky and unnerving.
> When I repeated this search (several times) after pnscan was purged, I no
> longer saw this graphic.
>
> Now, it's rational that some malware might incorporate code from pnscan
> for its own purposes, and maybe that's what clamscan wants to be looking
> for, but if clamscan doesn't incorporate any mechanism to distinguish
> between that malware and pnscan, then confusion results. If you haven't
> contacted the clamav folks on this point, I'll do that.
>
>
> On Tue, Apr 19, 2022 at 8:35 PM Seth Arnold <email address hidden>
> wrote:
>
>> Hello, my guess is clamav is helpfully pointing out that the program
>> exists at all; I doubt it has any intelligence beyond looking for a few
>> markers for pnscan within files named pnscan.
>>
>> Diagnosing load issues takes a bit of work; I suggest starting with
>> https://www.brendangregg.com/blog/2015-12-03/linux-perf-60s-video.html
>> to get a feeling of useful steps to take.
>>
>> Thanks
>>
>> --
>> You received this bug notification because you are subscribed to the bug
>> report.
>> https://bugs.launchpad.net/bugs/1968806
>>
>> Title:
>> Clamscan reports Unix.Tool.Pnscan-8031486-0 in 1.12+git20180612-2
>> pnscan version
>>
>> Status in pnscan package in Ubuntu:
>> Incomplete
>>
>> Bug description:
>> My system showed unusually high memory and swap usage for a few weeks,
>> also occasional lags in situations when it was always brisk before. I
>> naturally ran clamscan to check. Pnscan was flagged as containing the
>> malware. I removed and purged pnscan, and continued to scan for
>> anything else out of line. Saw nothing else, and rebooted. Memory
>> and swap usage was normal for several hours. Then I reins...

The frog is definitely weird, but clamscan is almost certainly just reporting a tool that might be used by attackers. There's lots of those. Does it also report tcpdump? wireshark? ettercap? nc? telnet? nmap? socat? stunnel?

Thanks

Pnscan was the only report. I've been looking over the summaries
for Pnscan-8031486-0 at https://malware.prevasio.io/ and it's obvious that
pnscan is used by multiple malware packages and even a miner. In no case
are the ancillary files in the summaries present on my system. But if they
were ever there, they could have been auto-cleaned once pnscan was purged.

It appears to me that this instance is something which probably can't be
pursued further. In a way pnscan presence may just be an invitation.

Thanks.

On Tue, Apr 19, 2022 at 10:15 PM Seth Arnold <email address hidden>
wrote:

> The frog is definitely weird, but clamscan is almost certainly just
> reporting a tool that might be used by attackers. There's lots of those.
> Does it also report tcpdump? wireshark? ettercap? nc? telnet? nmap?
> socat? stunnel?
>
> Thanks
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1968806
>
> Title:
> Clamscan reports Unix.Tool.Pnscan-8031486-0 in 1.12+git20180612-2
> pnscan version
>
> Status in pnscan package in Ubuntu:
> Incomplete
>
> Bug description:
> My system showed unusually high memory and swap usage for a few weeks,
> also occasional lags in situations when it was always brisk before. I
> naturally ran clamscan to check. Pnscan was flagged as containing the
> malware. I removed and purged pnscan, and continued to scan for
> anything else out of line. Saw nothing else, and rebooted. Memory
> and swap usage was normal for several hours. Then I reinstalled
> pnscan from the repository. Clamscan reported
> Unix.Tool.Pnscan-8031486-0 in pnscan again. So I removed and purged
> pnscan again.
>
> I recognize that clamscan could be misleading here, but I never saw
> this report before, and it's clear that my memory and swap issues
> haven't returned.
>
> I'm going to suggest this is a security vulnerability, even though the
> clamscan result might be misleading.
>
> lsb_release -rd
> Description: Ubuntu 20.04.4 LTS
> Release: 20.04
>
> uname -a
> Linux ryzen7 5.4.0-107-lowlatency #121-Ubuntu SMP PREEMPT Thu Mar 24
> 16:45:08 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
>
> pnscan 1.12+git20180612-2
>
> ProblemType: Bug
> DistroRelease: Ubuntu 20.04
> Package: pnscan 1.12+git20180612-2
> ProcVersionSignature: Ubuntu 5.4.0-107.121-lowlatency 5.4.174
> Uname: Linux 5.4.0-107-lowlatency x86_64
> ApportVersion: 2.20.11-0ubuntu27.23
> Architecture: amd64
> CasperMD5CheckResult: skip
> CurrentDesktop: KDE
> Date: Tue Apr 12 20:48:45 2022
> InstallationDate: Installed on 2012-12-03 (3417 days ago)
> InstallationMedia: Kubuntu 12.10 "Quantal Quetzal" - Release amd64
> (20121017.1)
> ProcEnviron:
> PATH=(custom, no user)
> XDG_RUNTIME_DIR=<set>
> LANG=en_US.UTF-8
> SHELL=/bin/bash
> SourcePackage: pnscan
> UpgradeStatus: Upgraded to focal on 2020-04-29 (713 days ago)
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/pnscan/+bug/1968806/+subscriptions
>
>

[Expired for pnscan (Ubuntu) because there has been no activity for 60 days.]