[clamav-users] Analyzing a possible FP
Alain Zidouemba
azidouemba at sourcefire.com
Fri Feb 7 15:07:28 UTC 2020
We're talking a look at the FP you reported.
Thanks,
-Alain
On Fri, Feb 7, 2020 at 9:24 AM Mikael Bak <mikael.bak at techteamer.com> wrote:
> Hi list,
>
> Our developers use some nodejs code and today we got a hit in one of
> the libraries:
>
>
> /workspace/node_modules/@babel/compat-data/build/compat-table/es6/index.html:
> Win.Exploit.CVE_11844-6367494-1 FOUND
>
> In the daily.ldb it's defined like this:
>
> Win.Exploit.CVE_11844-6367494-1;Engine:51-255,Target:3;0&1&2&3;70726f7879{-6}6765746f776e70726f706572747964657363726970746f72*6765746f776e70726f706572747964657363726970746f72;6172726179627566666572;75696e7433326172726179;6576616c
>
> It expands to the following "readable":
>
> proxy{-6}getownpropertydescriptor*getownpropertydescriptor
>
> AND
>
> arraybuffer
>
> AND
>
> uint32array
>
> AND
>
> eval
>
> What I don't know is what the "{-6}" and the "*" means in the first
> row. I didn't find that information in the online documentation on the
> clamav website.
>
> Anyway, to me it seems this rule is a bit too general and it is probably a
> FP.
>
> Here's the virustotal link:
>
> https://www.virustotal.com/gui/file/4ab64e16dfecabbb63e7b2ba5b2fbb369e6545b29efe3a5a295f508301068f5a/detection
>
> And the hash:
> $ sha256sum index.html
> 4ab64e16dfecabbb63e7b2ba5b2fbb369e6545b29efe3a5a295f508301068f5a
> index.html
>
> Thanks,
> Mikael
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users at lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20200207/1eb71aeb/attachment.htm>
More information about the clamav-users
mailing list