Jump to content
mark33w

Clam.Win.Exploit.CVE_2019_0903-6966169-0 False Positive on Chrome Cache files and .rbf/Config.Msi files

Recommended Posts

Immunet ClamAV is quarantining my google chrome cache files (C:\Users\User_Name\AppData\Local\Google\Chrome\User Data\Default\Cache\). The files in here all start with f_ followed by numbers. They appear to be cache files used for uploading files in the browser and maybe other things. This is basically making Chrome unable to upload files to some web apps such as facebook as the quarantine of these cache files is blocking the upload. Every time I try to upload a file I get an error followed by an alert from immunet for the quarantine. I will white list this folder until this signature is fixed. That said, is there a way in windows 10 (as there is in linux) to configure clamav/immunet to ignore this signature?

Also, this signature has been getting files in the hidden folder "Config.msi" when I was doing some app uninstalls. These were the .rbf files that Windows 10 creates in case of rolling back the application uninstall/install in case of an error occurring during the install process. 

image.png.5ce2afa74ce6858219b1af9b63d7f474.png

image.png.a726c59fe2997afe095153f23ab27f0e.png

Share this post


Link to post
Share on other sites

Hi Mark, there seems to be some sort of problem with ClamAV quarantining seemingly legitimate files from a number of users of late. This is something the devs definitely need to look into ASAP! Sorry for the inconvenience this is causing.

I would suggest you temporarily turn off the ClamAV module & updates for it for now until this issue gets resolved. With the holiday Memorial Day weekend it may not be until Tuesday before an Admin or Dev looks into this.

P.S. - Great idea to submit this info to the ClamAV team directly. Thanks for that! Also, you can use Immunet's Restore feature to unlock those files if you need them now.

Share this post


Link to post
Share on other sites

Hi, I face the same kind of issue while checking the following webpage : https:/lematin.ch and when trying to upload an update from a software.

And, mybe a side effect, Immunet service stops (didn't investigate further).

I am using Immunet 6.3.1 on Windows 7x64 Pro

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...