Macbeth Posted July 26, 2019 Report Share Posted July 26, 2019 I've been running Immunet for a year or 3, and have never had a quarantine fail for a real issue...till possibly now. It's coming up in regards to AdobeARM.exe which is associated with Adobe Reader. The detection name is Clam.Win.Malware.Krucky-7009041-0 & I'm seeing very little regarding this online...and nothing on Immunet in regards to this. (The few times I've had a message pop up for a quarantine failure, I've seen lots of online evidence saying that this is a false positive so the lack of this info re: this particular issue is concerning to me.) Nothing's popped up when I scanned using another tool. Does anyone know if this is a false positive? Or have a recommendation for another tool to verify that there's a real issue? Appreciate your help. Link to comment Share on other sites More sharing options...
ritchie58 Posted July 26, 2019 Report Share Posted July 26, 2019 Hello Macbeth & welcome to the forum, upon doing some research myself with VirusTotal I'm also inclined to believe that is a False Positive from the ClamAV module. The reason for a failed quarantine response is usually due to the fact that the file in question was actually a temp file that no longer exists. We do have a dedicated site to report False Positives here. http://www.immunet.com/false_positive If you wish you could also report this directly to the ClamAV development team here. http://www.clamav.net/contact Aside from the FP is Adobe Reader functioning ok for you at this time? Regards, Ritchie... P.S. - I'm not saying this is what's currently going on here but Adobe has had issues in the past with it's software products containing zero-day vulnerabilities that hackers could exploit to their advantage, especially with their Adobe Flash software. Just thought I'd mention that historical fact. Link to comment Share on other sites More sharing options...
Macbeth Posted July 26, 2019 Author Report Share Posted July 26, 2019 17 hours ago, ritchie58 said: Hello Macbeth & welcome to the forum, upon doing some research myself with VirusTotal I'm also inclined to believe that is a False Positive from the ClamAV module. The reason for a failed quarantine response is usually due to the fact that the file in question was actually a temp file that no longer exists. We do have a dedicated site to report False Positives here. http://www.immunet.com/false_positive If you wish you could also report this directly to the ClamAV development team here. http://www.clamav.net/contact Aside from the FP is Adobe Reader functioning ok for you at this time? Regards, Ritchie... P.S. - I'm not saying this is what's currently going on here but Adobe has had issues in the past with it's software products containing zero-day vulnerabilities that hackers could exploit to their advantage, especially with their Adobe Flash software. Just thought I'd mention that historical fact. Thanks so much for the quick response. I rarely use Adobe Reader so can't say whether the program is functioning well. But the program isn't a temp one & it is an executable. It hasn't been modified since December. (The path is C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe.) Link to comment Share on other sites More sharing options...
ritchie58 Posted July 26, 2019 Report Share Posted July 26, 2019 Mmm. That is rather strange if it wasn't a temp file! Some exe's can & do create their own temp files but I'm not entirely sure now if that's the case here though. Have you reported this FP to the URL links I provided? If not it would be greatly appreciated if you can do that. If you want to use the program now and do encounter any problems with Adobe Reader I would suggest you create a custom Exclusion rule with Immunet for C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe. Cheers, Ritchie... Link to comment Share on other sites More sharing options...
Macbeth Posted July 27, 2019 Author Report Share Posted July 27, 2019 3 hours ago, ritchie58 said: Mmm. That is rather strange if it wasn't a temp file! Some exe's can & do create their own temp files but I'm not entirely sure now if that's the case here though. Have you reported this FP to the URL links I provided? If not it would be greatly appreciated if you can do that. If you want to use the program now and do encounter any problems with Adobe Reader I would suggest you create a custom Exclusion rule with Immunet for C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe. Cheers, Ritchie... I've sent it to Clam so guess we'll see what they say. Thanks for your help! 2 Link to comment Share on other sites More sharing options...
ritchie58 Posted July 27, 2019 Report Share Posted July 27, 2019 Cool, thanks for taking the time to report this to the ClamAV team! Much appreciated Macbeth! 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now