You are not logged in.

#1 2019-05-25 14:16:15

percy_vere_uk
Member
Registered: 2016-01-08
Posts: 25

[SOLVED] Win.Exploit.CVE_2019_0903-6966169-0 FOUND

Hi

I run clamscan every week but it has suddenly started to show:

Infected files: 103 with   Win.Exploit.CVE_2019_0903-6966169-0

What can I do about this.

I would  be grateful  for any response on this.
 
percy

Last edited by percy_vere_uk (2019-05-26 11:12:57)

Offline

#2 2019-05-25 14:44:26

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 16,812

Re: [SOLVED] Win.Exploit.CVE_2019_0903-6966169-0 FOUND

What is this system used for? Is it a mail server?
Where are those 103 files in your files system?  What type of files are they?

In general, I regard clam as a tool to protect our Windows brethren from exploits in files we serve them from our systems.


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#3 2019-05-25 15:02:19

percy_vere_uk
Member
Registered: 2016-01-08
Posts: 25

Re: [SOLVED] Win.Exploit.CVE_2019_0903-6966169-0 FOUND

Not a mail server  Just used as a desktop system.

They are mainly .pdf files   

some   .cache/firefox/         wine/usr/share/wine/fonts      .mozilla/firefox/

I have recently installed wine.

Offline

#4 2019-05-25 15:08:38

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,251

Re: [SOLVED] Win.Exploit.CVE_2019_0903-6966169-0 FOUND

percy_vere_uk wrote:

Not a mail server  Just used as a desktop system.

They are mainly .pdf files   

some   .cache/firefox/         wine/usr/share/wine/fonts      .mozilla/firefox/

I have recently installed wine.

It can probably be exploited through wine. Even though the name implies it's a windows virus.


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#5 2019-05-25 15:13:18

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 16,812

Re: [SOLVED] Win.Exploit.CVE_2019_0903-6966169-0 FOUND

percy_vere_uk wrote:

I have recently installed wine.

Was that coincident with these files being flagged as threats?

In general, I would not worry about these files.  But I don't have wine on my system.  It is not inconceivable that Windows malware could find a toehold through Wine.
Anything in a cache directory can just be deleted.
pdfs can be a threat, but I have had no issues with readers such  as evince or okular.

I did a brief search for this exploit and found nothing.  It could all just be false positives.


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

#6 2019-05-25 15:16:22

percy_vere_uk
Member
Registered: 2016-01-08
Posts: 25

Re: [SOLVED] Win.Exploit.CVE_2019_0903-6966169-0 FOUND

As it seems that most linux user do not use anti virus software and many use wine then they could have the same problem and not know about it.

What is best to do about it ?

Offline

#7 2019-05-25 15:20:15

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,251

Re: [SOLVED] Win.Exploit.CVE_2019_0903-6966169-0 FOUND

percy_vere_uk wrote:

As it seems that most linux user do not use anti virus software and many use wine then they could have the same problem and not know about it.

What is best to do about it ?

The same exploits may or may not actually have any effect in Linux...some viruses embedded into files get junked and no viruses get activated.


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#8 2019-05-25 15:35:18

vladipfw
Member
Registered: 2019-05-25
Posts: 1

Re: [SOLVED] Win.Exploit.CVE_2019_0903-6966169-0 FOUND

We have the same problem today.
Mail server. A lot of email is blocked by the same signature Win.Exploit.CVE_2019_0903-6966169-0
in most cases .pdf files
The problem occurred after the last clamav update

Offline

#9 2019-05-25 15:37:12

percy_vere_uk
Member
Registered: 2016-01-08
Posts: 25

Re: [SOLVED] Win.Exploit.CVE_2019_0903-6966169-0 FOUND

Thank you both

ewaller  and  nomorewindo..

I feel a little better about this now the only problem is that each time I run clamscan  I will see this Win.Exploit  message.

I will try and find a way over this. I might have to re build without wine trouble is I find wine very useful.

I will leave this post open for a while in case any more information is available.

Thank you again.

percy

Offline

#10 2019-05-25 23:09:49

lfurrer
Member
Registered: 2019-05-25
Posts: 2

Re: [SOLVED] Win.Exploit.CVE_2019_0903-6966169-0 FOUND

Starting from today I am having the same problem on my mail server. ClamAV flags a pdf file as a virus (Win.Exploit.CVE_2019_0903-6966169-0). I am pretty sure it is a false positive as it is a pdf file generated from a simple word text file using a pdf printer. When I check that same file on virustotal no other scanner finds a virus.
I reported that file as a false positive to ClamAV today and I am waiting for a response from them.
Since I don't use wine I don't think it has anything to do with wine.

Offline

#11 2019-05-26 00:52:36

m-svo
Member
Registered: 2018-09-22
Posts: 8

Re: [SOLVED] Win.Exploit.CVE_2019_0903-6966169-0 FOUND

Anyone here working for ProtonMail? smile Because I am transitioning from Gmail to ProtonMail and yesterday evening one message with PDF attached was rejected by ProtonMail with reason above. Nice to know they are probably using ClamAV smile

Offline

#12 2019-05-26 01:00:52

lfurrer
Member
Registered: 2019-05-25
Posts: 2

Re: [SOLVED] Win.Exploit.CVE_2019_0903-6966169-0 FOUND

Here's a workaround until ClamAV updates their virus signatures:
Create an entry in the ClamAV whitelist. Just did that for my mailserver, works like a charm.
https://www.clamav.net/documents/how-do … -signature

Offline

#13 2019-05-26 09:38:14

progandy
Member
Registered: 2012-05-17
Posts: 3,580

Re: [SOLVED] Win.Exploit.CVE_2019_0903-6966169-0 FOUND

Here is a discussion on the clamav mailing list
https://marc.info/?t=155878997100001&r=1&w=2


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#14 2019-05-26 11:10:10

percy_vere_uk
Member
Registered: 2016-01-08
Posts: 25

Re: [SOLVED] Win.Exploit.CVE_2019_0903-6966169-0 FOUND

lfurrer wrote:

Here's a workaround until ClamAV updates their virus signatures:
Create an entry in the ClamAV whitelist. Just did that for my mailserver, works like a charm.
https://www.clamav.net/documents/how-do … -signature

Thanks for all the input on this folks now I know it is harmless I will wail until  ClamAV updates their virus signatures:

percy

Offline

Board footer

Powered by FluxBB