Hi list,
Our developers use some nodejs code and today we got a hit in one of
the libraries:
/workspace/node_modules/@babel/compat-data/build/compat-table/es6/index.html:
Win.Exploit.CVE_11844-6367494-1 FOUND
In the daily.ldb it's defined like this:
Win.Exploit.CVE_11844-6367494-1;Engine:51-255,Target:3;0&1&2&3;70726f7879{-6}6765746f776e70726f706572747964657363726970746f72*6765746f776e70726f706572747964657363726970746f72;6172726179627566666572;75696e7433326172726179;6576616c
It expands to the following "readable":
proxy{-6}getownpropertydescriptor*getownpropertydescriptor
AND
arraybuffer
AND
uint32array
AND
eval
What I don't know is what the "{-6}" and the "*" means in the first
row. I didn't find that information in the online documentation on the
clamav website.
Anyway, to me it seems this rule is a bit too general and it is probably a FP.
Here's the virustotal link:
https://www.virustotal.com/gui/file/4ab64e16dfecabbb63e7b2ba5b2fbb369e6545b29efe3a5a295f508301068f5a/detection
And the hash:
$ sha256sum index.html
4ab64e16dfecabbb63e7b2ba5b2fbb369e6545b29efe3a5a295f508301068f5a index.html
Thanks,
Mikael
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Our developers use some nodejs code and today we got a hit in one of
the libraries:
/workspace/node_modules/@babel/compat-data/build/compat-table/es6/index.html:
Win.Exploit.CVE_11844-6367494-1 FOUND
In the daily.ldb it's defined like this:
Win.Exploit.CVE_11844-6367494-1;Engine:51-255,Target:3;0&1&2&3;70726f7879{-6}6765746f776e70726f706572747964657363726970746f72*6765746f776e70726f706572747964657363726970746f72;6172726179627566666572;75696e7433326172726179;6576616c
It expands to the following "readable":
proxy{-6}getownpropertydescriptor*getownpropertydescriptor
AND
arraybuffer
AND
uint32array
AND
eval
What I don't know is what the "{-6}" and the "*" means in the first
row. I didn't find that information in the online documentation on the
clamav website.
Anyway, to me it seems this rule is a bit too general and it is probably a FP.
Here's the virustotal link:
https://www.virustotal.com/gui/file/4ab64e16dfecabbb63e7b2ba5b2fbb369e6545b29efe3a5a295f508301068f5a/detection
And the hash:
$ sha256sum index.html
4ab64e16dfecabbb63e7b2ba5b2fbb369e6545b29efe3a5a295f508301068f5a index.html
Thanks,
Mikael
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml