Clam.Win.Exploit.CVE_2019_0903-6966169-0 False Positive on Chrome Cache files and .rbf/Config.Msi files

[mark33w]

Immunet ClamAV is quarantining my google chrome cache files (C:\Users\User_Name\AppData\Local\Google\Chrome\User Data\Default\Cache\). The files in here all start with f_ followed by numbers. They appear to be cache files used for uploading files in the browser and maybe other things. This is basically making Chrome unable to upload files to some web apps such as facebook as the quarantine of these cache files is blocking the upload. Every time I try to upload a file I get an error followed by an alert from immunet for the quarantine. I will white list this folder until this signature is fixed. That said, is there a way in windows 10 (as there is in linux) to configure clamav/immunet to ignore this signature?

Also, this signature has been getting files in the hidden folder "Config.msi" when I was doing some app uninstalls. These were the .rbf files that Windows 10 creates in case of rolling back the application uninstall/install in case of an error occurring during the install process. 

[mark33w]

Also, I did submit this false positive to ClamAV. Thx!

[ritchie58]

Hi Mark, there seems to be some sort of problem with ClamAV quarantining seemingly legitimate files from a number of users of late. This is something the devs definitely need to look into ASAP! Sorry for the inconvenience this is causing.

I would suggest you temporarily turn off the ClamAV module & updates for it for now until this issue gets resolved. With the holiday Memorial Day weekend it may not be until Tuesday before an Admin or Dev looks into this.

P.S. - Great idea to submit this info to the ClamAV team directly. Thanks for that! Also, you can use Immunet's Restore feature to unlock those files if you need them now.

[Jackouille-CH]

Hi, I face the same kind of issue while checking the following webpage : https:/lematin.ch and when trying to upload an update from a software.

And, mybe a side effect, Immunet service stops (didn't investigate further).

I am using Immunet 6.3.1 on Windows 7x64 Pro