On 7/22/2015 7:23 AM, JD Ackle wrote: > Hello, > > Currently, ClamAV run from Linux reports Docx.Exploit.CVE_2015_1770 in my > Windows 8.1 install, in files: > - pageFile.sys > - Windows/System32/config/SOFTWARE (a piece of the Windows registry) > > If I understand it correctly, pageFile.sys works much like a Linux swap, > hence basically containing RAM dumps. After removing the file from the > Windows system and booting to it I noticed Windows just made a new one when > needed, as I expected. Thus I am actually using that file as a checkpoint to > track whether the system is clean or not - whether the virus appears in the > volatile memory when Windows is run. > When I first noticed the infection, pageFile.sys did not get infected upon a > Windows startup without logging on a user (it would however otherwise, > regardless of whether the user was and administrator or a regular one). > > I noticed the infection on Windows/System32/config/SOFTWARE later and moved > it to Linux to try and fix it - even though I was not really sure how to do > it. Upon giving up on the later plan I simply tried booting onto Windows > which failed. Since copying the SOFTWARE file back in, pageFile.sys now > becomes infected even if I don't logon any user. > I presume the reason for this may be that the file lost its Windows > permission upon being copied to my Linux install and is now world-accessible, > thus being run by the system even before an allowed user is logged on...? > > On another hand, I am hesitant to consider this a false positive as ClamAV > did detect another virus in my Windows system: > - Program Files (x86)/Hewlett-Packard/Shared/WizLink.exe: Win.Worm.Tenga-113 > FOUND > I don't need that file at all, so I simply deleted and no further infections > of that virus have been detected since. My Windows install was running > considerably slow (specially network-related tasks) before removing that file > and seems to have picked back up on its speed, so I am assuming the said > virus was indeed, at least for the most common use of that system, been > removed. > However, I'm not sure whether this worm and the Docx.Exploit.CVE_2015_1770 > are not related...? > > No other infections were detected by ClamAV on the affected system and Norton > Internet Security, which I have installed and running on Windows, doesn't > seem to have ever noticed anything. > > So that's basically the full story. > At this moment, I would like to know how can I remove > Docx.Exploit.CVE_2015_1770 from Windows/System32/config/SOFTWARE (any > particular key or value I should be looking for?), so that I'm sure it's not > its loading into RAM at startup that's making its signature appear on > /pageFile.sys. > > Thanks in advance, > JD Ackle > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml >
I would suspect a false positive if a MS Office document virus is reported in anything other than an MS Office document. _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
