Showing results for 
Search instead for 
Did you mean: 

Malware events triggering frequently on CentOS

Hello Community members


We have been seeing a lot of events on one of the Linux host and they all have same details are successfully handled. This is an Artimis detection. I assume curl is trying to execute some commands  however, I'm not sure how to troubleshoot this scenario and get to the root cause of it. As per Virutotal Information, this appears to be crypto Mining related attempt. 

Please advise how can we investigate

- What curl is trying to execute

- Where these jobs are scheduled to run and what are they


Labels (3)
3 Replies
McAfee Employee patrakshar
McAfee Employee
Report Inappropriate Content
Message 2 of 4

Re: Malware events triggering frequently on CentOS

The drive from where you are seeing this detection, is it shared with other users?

Once we have deleted the file from the location, and again it is coming back that means there is some other process creating it. If not locally then remotely.

If your Artemis Level for OAS is set as Medium, then trigger an ODS (preferably offline) on that Linux box with same Artemis Level.

Once the ODS is complete, check if you are still seeing the detection from OAS.

Curl is shared library here so there is definitely some other application which is using it to trigger these events.

Re: Malware events triggering frequently on CentOS

Thanks patrakshar

Not sure if its been shared with others
I have validated in SIEM if there are any connections to this server from outside or not however, couldn't find any suspicious connections. They are getting detected \ deleted and there are no pending deletion malware events so would scanning the server offline be still helpful ? These are generating almost every min.

So I was looking for some guidance on how to check curl execution history and some commands which will be helpful to see process is creating it.
McAfee Employee patrakshar
McAfee Employee
Report Inappropriate Content
Message 4 of 4

Re: Malware events triggering frequently on CentOS

Suggestion of offline scanning given considering that the machine is shared with others. If that is not the case then you can directly trigger the ODS.

From the logging side we can only capture what is written within the logs. So if you can share the logs from   opt/isec/ens/threatprevention/var/ location we can check more details.



More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community