Hi, For me, OSSEC is continuously triggering the following alert message when it is doing its daily rootkit checks :
OSSEC HIDS Notification. 2012 Aug 19 04:33:47 Received From: (web-agent) 192.168.0.115->rootcheck Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)." Portion of the log(s): Anomaly detected in file '/tmp/clamav-e6d074726ae187561c8cdee65748cc53'. Hidden from stats, but showing up on readdir. Possible kernel level rootkit. --END OF NOTIFICATION The name of the tmp file changes in each alert. Is it a false positive? Hoping that it is, any idea whats causing this file to be hidden from stats? Thanks in advance, Teres _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
