Clamtk reports these LibreOffice files as possible threats. Are they safe? [closed]

Solution 1:

You really need some sort of HIDS system to run in conjunction with clamav.

clamav is notorious for "false positives" you you can easily find many posts throughout the internet testifying that these false positives can be ignored ....

BUT ...

Clamav has a mechanism to report false positives if you believe you have a false positive - https://www.clamav.net/reports/fp

Although ignoring false positives is a common practice, I will just add a little detail / caution / suggestions ...

You need to start with a known good system, such as a fresh install. You then install and configure some sort of HIDS (OSSEC , AIDE, ...) .

See http://opensourceforu.com/2017/04/best-open-source-network-intrusion-detection-tools/ or a google search for options.

You then run clamv and investigate false positives.

You can determine if a package installed a file, on a fresh install, you sort of have to assume that such files are clean. You do not have to make such an assumption, but then you enter a deep dark hole of paranoia and if you do not trust the ubuntu repositories you are sort of in for a lot of footwork out of the gate.

You verify a file with debsums

sudo debsums -ac

See or the debsums man page https://blog.sleeplessbeastie.eu/2015/03/02/how-to-verify-installed-packages/ for further details.

You then are starting with a known good system and you know what clamav reports with a clean , fresh install.

When you run clamav you can compare it to your fresh install via debsums and HIDS .

You update HIDS and your clamav list of known false positives after every update and package installation by confirming the debsums.

If you have an alert from clamav you look at the file history in HIDS and debsums to determine if the file is (still) intact / a false positive or if there has been an unexpected change to the files.

I fully understand what I am suggesting is very cumbersome, and many people do not do all these steps, but ...

If you are not going to investigate what clamav is guiding you to investigate, why run clamav at all ?

Solution 2:

Yes. They're discovered as LibreOffice Macros. Macros may pose a security risk, as all other software, but these are distributed as part of the installation, and is vetted by the creators of LibreOffice.

A good thing to do when finding a file highlighted by clamav (or any other AV) is to google for what the AV engine finds.