[SOLVED] Win.Exploit.CVE_2019_0903-6966169-0 FOUND

percy_vere_uk · 2019-05-25 14:16:15

Hi

I run clamscan every week but it has suddenly started to show:

Infected files: 103 with Win.Exploit.CVE_2019_0903-6966169-0

What can I do about this.

I would be grateful for any response on this.

percy

Last edited by percy_vere_uk (2019-05-26 11:12:57)

ewaller · 2019-05-25 14:44:26

What is this system used for? Is it a mail server?
Where are those 103 files in your files system? What type of files are they?

In general, I regard clam as a tool to protect our Windows brethren from exploits in files we serve them from our systems.

percy_vere_uk · 2019-05-25 15:02:19

Not a mail server Just used as a desktop system.

They are mainly .pdf files

some .cache/firefox/ wine/usr/share/wine/fonts .mozilla/firefox/

I have recently installed wine.

nomorewindows · 2019-05-25 15:08:38

percy_vere_uk wrote:

Not a mail server Just used as a desktop system.
They are mainly .pdf files
some .cache/firefox/ wine/usr/share/wine/fonts .mozilla/firefox/
I have recently installed wine.

It can probably be exploited through wine. Even though the name implies it's a windows virus.

ewaller · 2019-05-25 15:13:18

percy_vere_uk wrote:

I have recently installed wine.

Was that coincident with these files being flagged as threats?

In general, I would not worry about these files. But I don't have wine on my system. It is not inconceivable that Windows malware could find a toehold through Wine.
Anything in a cache directory can just be deleted.
pdfs can be a threat, but I have had no issues with readers such as evince or okular.

I did a brief search for this exploit and found nothing. It could all just be false positives.

percy_vere_uk · 2019-05-25 15:16:22

As it seems that most linux user do not use anti virus software and many use wine then they could have the same problem and not know about it.

What is best to do about it ?

nomorewindows · 2019-05-25 15:20:15

percy_vere_uk wrote:

As it seems that most linux user do not use anti virus software and many use wine then they could have the same problem and not know about it.
What is best to do about it ?

The same exploits may or may not actually have any effect in Linux...some viruses embedded into files get junked and no viruses get activated.

vladipfw · 2019-05-25 15:35:18

We have the same problem today.
Mail server. A lot of email is blocked by the same signature Win.Exploit.CVE_2019_0903-6966169-0
in most cases .pdf files
The problem occurred after the last clamav update

percy_vere_uk · 2019-05-25 15:37:12

Thank you both

ewaller and nomorewindo..

I feel a little better about this now the only problem is that each time I run clamscan I will see this Win.Exploit message.

I will try and find a way over this. I might have to re build without wine trouble is I find wine very useful.

I will leave this post open for a while in case any more information is available.

Thank you again.

percy

lfurrer · 2019-05-25 23:09:49

Starting from today I am having the same problem on my mail server. ClamAV flags a pdf file as a virus (Win.Exploit.CVE_2019_0903-6966169-0). I am pretty sure it is a false positive as it is a pdf file generated from a simple word text file using a pdf printer. When I check that same file on virustotal no other scanner finds a virus.
I reported that file as a false positive to ClamAV today and I am waiting for a response from them.
Since I don't use wine I don't think it has anything to do with wine.

m-svo · 2019-05-26 00:52:36

Anyone here working for ProtonMail? Because I am transitioning from Gmail to ProtonMail and yesterday evening one message with PDF attached was rejected by ProtonMail with reason above. Nice to know they are probably using ClamAV

lfurrer · 2019-05-26 01:00:52

Here's a workaround until ClamAV updates their virus signatures:
Create an entry in the ClamAV whitelist. Just did that for my mailserver, works like a charm.
https://www.clamav.net/documents/how-do … -signature

progandy · 2019-05-26 09:38:14

Here is a discussion on the clamav mailing list
https://marc.info/?t=155878997100001&r=1&w=2

percy_vere_uk · 2019-05-26 11:10:10

lfurrer wrote:

Here's a workaround until ClamAV updates their virus signatures:
Create an entry in the ClamAV whitelist. Just did that for my mailserver, works like a charm.
https://www.clamav.net/documents/how-do … -signature

Thanks for all the input on this folks now I know it is harmless I will wail until ClamAV updates their virus signatures:

percy

Arch Linux

#1 2019-05-25 14:16:15

[SOLVED] Win.Exploit.CVE_2019_0903-6966169-0 FOUND

#2 2019-05-25 14:44:26

Re: [SOLVED] Win.Exploit.CVE_2019_0903-6966169-0 FOUND

#3 2019-05-25 15:02:19

Re: [SOLVED] Win.Exploit.CVE_2019_0903-6966169-0 FOUND

#4 2019-05-25 15:08:38

Re: [SOLVED] Win.Exploit.CVE_2019_0903-6966169-0 FOUND

#5 2019-05-25 15:13:18

Re: [SOLVED] Win.Exploit.CVE_2019_0903-6966169-0 FOUND

#6 2019-05-25 15:16:22

Re: [SOLVED] Win.Exploit.CVE_2019_0903-6966169-0 FOUND

#7 2019-05-25 15:20:15

Re: [SOLVED] Win.Exploit.CVE_2019_0903-6966169-0 FOUND

#8 2019-05-25 15:35:18

Re: [SOLVED] Win.Exploit.CVE_2019_0903-6966169-0 FOUND

#9 2019-05-25 15:37:12

Re: [SOLVED] Win.Exploit.CVE_2019_0903-6966169-0 FOUND

#10 2019-05-25 23:09:49

Re: [SOLVED] Win.Exploit.CVE_2019_0903-6966169-0 FOUND

#11 2019-05-26 00:52:36

Re: [SOLVED] Win.Exploit.CVE_2019_0903-6966169-0 FOUND

#12 2019-05-26 01:00:52

Re: [SOLVED] Win.Exploit.CVE_2019_0903-6966169-0 FOUND

#13 2019-05-26 09:38:14

Re: [SOLVED] Win.Exploit.CVE_2019_0903-6966169-0 FOUND

#14 2019-05-26 11:10:10

Re: [SOLVED] Win.Exploit.CVE_2019_0903-6966169-0 FOUND

Board footer