[clamav-users] Analyzing a possible FP

Mikael Bak Fri, 07 Feb 2020 06:23:49 -0800

Hi list,

Our developers use some nodejs code and today we got a hit in one of
the libraries:


/workspace/node_modules/@babel/compat-data/build/compat-table/es6/index.html:
Win.Exploit.CVE_11844-6367494-1 FOUND

In the daily.ldb it's defined like this:
Win.Exploit.CVE_11844-6367494-1;Engine:51-255,Target:3;0&1&2&3;70726f7879{-6}6765746f776e70726f706572747964657363726970746f72*6765746f776e70726f706572747964657363726970746f72;6172726179627566666572;75696e7433326172726179;6576616c

It expands to the following "readable":

proxy{-6}getownpropertydescriptor*getownpropertydescriptor

AND

arraybuffer

AND

uint32array

AND

eval

What I don't know is what the "{-6}" and the "*" means in the first
row. I didn't find that information in the online documentation on the
clamav website.

Anyway, to me it seems this rule is a bit too general and it is probably a FP.

Here's the virustotal link:
https://www.virustotal.com/gui/file/4ab64e16dfecabbb63e7b2ba5b2fbb369e6545b29efe3a5a295f508301068f5a/detection

And the hash:
$ sha256sum index.html
4ab64e16dfecabbb63e7b2ba5b2fbb369e6545b29efe3a5a295f508301068f5a  index.html

Thanks,
Mikael

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Analyzing a possible FP

Reply via email to