[Software]Clam AV Firefox ESR related detections

[fflintstone]

I tried running clam av just to check it out. It gave me 11 results. Is this anything to worry about? It's all firefox-esr related. It's on my home desktop pc

Code: Select all

/home/manny/.cache/mozilla/firefox/62jba7kk.default-esr/cache2/entries/0F7187EFB028E4879F965D422FED4A05D08993B3      PUA.Win.Trojan.Xored-1              
/home/manny/.cache/mozilla/firefox/62jba7kk.default-esr/cache2/entries/DF1D86818E894DE5FE51830F44B277903C1C74A9      PUA.Win.Trojan.Xored-1              
/home/manny/.cache/mozilla/firefox/62jba7kk.default-esr/cache2/entries/0E7302230EC45B4958B65FF2379D97AA3BA4AE1C      PUA.Win.Trojan.Xored-1              
/home/manny/.cache/mozilla/firefox/62jba7kk.default-esr/cache2/entries/FF7D8EE0A69EB8201A015D3B4C760E27C8EC226E      PUA.Win.Exploit.CVE_2012_1461-1     
/home/manny/.cache/mozilla/firefox/62jba7kk.default-esr/cache2/entries/1F2B897070B7F33A281C7302B5B9F35AD20F28EF      PUA.Win.Trojan.Xored-1              
/home/manny/.cache/mozilla/firefox/62jba7kk.default-esr/cache2/entries/9D8DF9CB0639E12C4E1D35A455BBD32CA5E75A03      PUA.Win.Exploit.CVE_2012_1461-1     
/home/manny/.cache/mozilla/firefox/62jba7kk.default-esr/cache2/entries/AFFF39FCF70A1061E7198D22918D0465FE39C651      PUA.Win.Exploit.CVE_2012_1461-1     
/home/manny/.cache/mozilla/firefox/62jba7kk.default-esr/cache2/entries/25FA209283EBE9F2286E0AAF073F09B31BAFAFBA      PUA.Win.Exploit.CVE_2012_1461-1     
/home/manny/.cache/mozilla/firefox/62jba7kk.default-esr/cache2/entries/AB00060130703A780031A9730845901357630509      PUA.Win.Exploit.CVE_2012_1461-1     
/home/manny/.cache/mozilla/firefox/62jba7kk.default-esr/cache2/entries/3BB7083015D76690780BB41497F74F82605EFB74      PUA.Win.Exploit.CVE_2012_1461-1     
/home/manny/.cache/mozilla/firefox/62jba7kk.default-esr/cache2/entries/B4197AD795425513FFC2D1AEBB1EB98F9AF6F5D9      PUA.Win.Trojan.Xored-1

[arzgi]

Good to use code tags for listings.

All the lines ended to Win.Exploit/Trojan+n

So if it is not a server for windows(r) machines, then no worry.

EDIT; Nice correction!

[DebianFox]

ClamAV may be giving you false positives for PUA.Win.Trojan.Xored. There are multiple instances that have been reported for this, example 1, example 2, example 3 and others. As explained in this thread

PUA means "potential unwanted application". PUA are not virusses, those are claims by clamav that there is an application they consider "unwanted" because that file or extension have been proven to be abused in Windows

Further documentation regarding this from horses mouth can be found over here. This documentation also states

PUA signatures are not as carefully curated as malware signatures because they are not as commonly used. You should expect more false positives when using PUA signatures

Go through this.

The second malware that has been detected is CVE_2012_1461-1. Now that is something you should look at. Not panic or get concerned about, just look at. This was identified in the year 2012 and is related to the gzip parser used in various anti-virus/malware software. Using this vulnerability, attackers might be able to infect machines using .tar.gz files.

allows remote attackers to bypass malware detection via a .tar.gz file with multiple compressed streams.

Now since this was reported more than a decade ago, it is highly likey that this was already fixed. But yes malware bundles do tend to use exploits that have been reported in the past.

For your case the issue happens to be reported inside Firefox cache. So you must have visited sites which may or may not be infected. Purge the browser cache, stop any auto sync that you may or may not have setup and then run the scan again. After that run a periodically scan say every 30-60 minutes of using Firefox to identify if the same scan results show up. You will then be able to narrow down the website which is having the issue. Then you will be able to make a call.
If you have to visit websites which may be compromised, then please do consider using a restricted account and firejail/AppArmour with isolated Firefox. Setup Firefox to clean up browser cache at application close.

Dont worry and dont panic. It may all be a false positive. Emphasis on the word may. Use sensible precautions like Dont use root account, nor use Linux user account which has sudo or su capabilities, harden the linux system and keep system plus software upto date

Disclaimer: Many of the links that you will go through will say discontinue to use ClamAV. Or disable PUA scanning. That is not the correct approach IMHO. Many of us run dual boot systems. Or operate in a network which has multiple OS. Or use our systems as servers. So even if ClamAV is pointing towards a PUA which infects microsoft windows you should not ignore it. It may or may not infect your system, but it has the potential to infect non-Debian systems. So just like COVID-19 infections, some people are carriers and show no impact/symptoms of infection, that does not mean they are not infected. It is just that they can deal with the infection but can cause infection in others. Therefore the request for all to mask up. Or in this case continue to use ClamAV.

[FreewheelinFrank]

@fflintstone I have taken the liberty of adding a title to your topic. Feel free to change it if you don't think it is appropriate, but all topics should have a descriptive title please.

You can submit detections to

https://www.virustotal.com/gui/

If it's only Clam AV detecting these files, ask them to check if it's a false positive.

https://docs.clamav.net/faq/faq-malware-fp-reports.html

[Uptorn]

This is consistent with my own experience. Clam av only ever finds stuff from the web browser and it is usually for exploits that had been patched years ago.

I don't think you need to worry. But if you dig around and find which site has been serving up these files, please update this thread. It would be fun to know!

[DebianFox]

This forum needs a separate sub-forum for Security and privacy related issues.

[CwF]

This forum needs a separate sub-forum for Security and privacy related issues.

viewtopic.php?p=801220#p801220