[Howto] Responding to false positives

What is a false positive?
False positives are warnings which indicates there is a problem, but aren't really a problem. Example: some Linux distro updated a few common used binaries like `ls` and `ps`. You (as a good sysadmin) update the new packages and run (ofcourse) daily Rootkit Hunter. Rootkit Hunter isn't yet aware of these new files and while scanning it resports some "bad" files. In this case we have a false positive.

---

False positives: MD5

Check the logfile for more details about wrong MD5 hashes. If you recently updated some system packages, investigate which binaries have been updated. When you are in doubt about the update, please fill in the contact form.

---

False positives: Hidden directories/files

Most system directories contain no hidden directories and files, but there are a few special exceptions.

Some known false positives:
- /dev/lcd
- /dev/watchdog
- /etc/.aumixrc
- /etc/.java
- /usr/.Trash-root
- /etc/.whostmgrft

If you are 100 percent sure a hidden directory/file is valid for your system, add it to the whitelist. See the configuration file for more information.

---

Contact form

In most times false positives can be eliminated easily by filling in the contact form.