Hello, A clamscan running from Linux on a Windows disk (mounted on /mnt ) produced the following results:
/mnt/Windows/System32/user32.dll: Win.Exploit.CVE_2017_8689-6336853-0 FOUND /mnt/Windows/SysWOW64/user32.dll: Win.Exploit.CVE_2017_8689-6336853-0 FOUND There were other occurrences of the same signature in /mnt/Windows/WinSxS/Backup/ and /mnt/Windows/WinSxS/Temp/ but on a reboot to Windows and running Windows Defender, then back to Linux rerunning the clamscan, these seem to come and go, on different occurrences of user32.dll, in these backup/temporary folders. The occurrences in the two first folders I mentioned above do however persist. I also got these two other persistent detections: /mnt/Windows/WinSxS/FileMaps/$$_system32_windowspowershell_v1.0_3f102d555ee05d33.cdf-ms: Win.Trojan.Emotet-6340301-0 FOUND /mnt/Windows/WinSxS/FileMaps/$$_syswow64_windowspowershell_v1.0_19ae85881f1c4f2d.cdf-ms: Win.Trojan.Emotet-6340301-0 FOUND Given what I read on the list about Win.Exploit.CVE_2017 being (mostly?) an Excel file infection and deemed a couple of times as a false positive, as well as with those two trojan detections in files which names seem related to the above Win.Exploit.CVE_2017 files' detections (system32 and syswow64), I'm not sure what do make of any of these detections. Your help would be appreciated. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
