today I was using a few antivirus programs.
Sadly while performing scan on second operating system I’ve found security break.
Program Files/Avast Software/Avast/defs/22052800/gvma64.dat: Win.Exploit.CVE_2019_0803-6976664-0 FOUND
Program Files/Google/Chrome/Application/chrome.exe: Win.Dropper.Sykipot-9950506-0 FOUND
Both were found using ClamAV.
I’m guessing that the Avast database was infected on my side and that way he wasn’t able to find it.
Now I am wondering where the rest of that bad files are kept… files that can infect Chrome one more time, and Avast too.
Such viruses are known for Avast team?? I guess they are.
Hmm I’m thinking about sharing infected files just to share samples.
But if that’s needed please tell me how to do that.
in my case, I was running ClamAV from Linux,
and Avast was running from Windows in the system, and once after reboot in Windows booting phase.
So I think it’s not a problem, because they don’t exist in the same systems.
Scanning results from ClamAV.
First are from Windows main partition.
/run/media/user/0CD216BFD216ACC8/Program Files/Google/Chrome/Application/102.0.5005.63/elevation_service.exe: Win.Dropper.Sykipot-9950507-0 FOUND
/run/media/user/0CD216BFD216ACC8/Program Files/Google/Chrome/Application/102.0.5005.63/Installer/chrmstp.exe: Win.Dropper.Sykipot-9950505-0 FOUND
/run/media/user/0CD216BFD216ACC8/Program Files/Google/Chrome/Application/102.0.5005.63/Installer/setup.exe: Win.Dropper.Sykipot-9950505-0 FOUND
/run/media/user/0CD216BFD216ACC8/Program Files/Google/Chrome/Application/chrome.exe: Win.Dropper.Sykipot-9950506-0 FOUND
I’ve created for test purpose 32bit Wine Prefix on Linux, and I’ve installed the same browser, but I’ve downloaded installer again, separately.
Here are results from closed Wine environment.
/home/user/wine-prefixes/test-browser/drive_c/Program Files/Google/Chrome/Application/102.0.5005.63/elevation_service.exe: Win.Dropper.Sykipot-9950507-0 FOUND
/home/user/wine-prefixes/test-browser/drive_c/Program Files/Google/Chrome/Application/102.0.5005.63/Installer/chrmstp.exe: Win.Dropper.Sykipot-9950505-0 FOUND
/home/user/wine-prefixes/test-browser/drive_c/Program Files/Google/Chrome/Application/102.0.5005.63/Installer/setup.exe: Win.Dropper.Sykipot-9950505-0 FOUND
/home/user/wine-prefixes/test-browser/drive_c/Program Files/Google/Chrome/Application/chrome.exe: Win.Dropper.Sykipot-9950506-0 FOUND
/home/user/wine-prefixes/test-browser/drive_c/Program Files/Google/Update/Download/{8A69D345-D564-463C-AFF1-A69D9E530F96}/102.0.5005.63/102.0.5005.63_chrome_installer.exe: Win.Dropper.Sykipot-9950505-0 FOUND
/home/user/wine-prefixes/test-browser/drive_c/Program Files/Google/Update/Install/{7D6240B5-B336-45CA-91D9-8DA878DF6897}/102.0.5005.63_chrome_installer.exe: Win.Dropper.Sykipot-9950505-0 FOUND
That’s weird, anyway. The same results. I can agree that they can be false positive.
Even when running another AV in another environment, you’re still scanning a live system with another AV running and that is likely to be checking the intrusions/activity into/on that environment. However detections within a .dat file containing a avast’s virus signatures, the means of detecting malware is highly likely to trigger false positives.
As for the Google Chrome executables, they should be digitally signed and that signature is good (as in my previous attached image), then the detection is highly likely to be an FP. So it doesn’t appear that the other AV even checks that.
Nothing wrong with being a bit paranoid, but when your actions increase that paranoia then you might have gone a step too far.
If there was a security breach in my Google account, presumably you have changes your security related settings and passwords, etc.
A security breach can be a serious issue, but one could also be threatened by some hacker sending you a template taken from a place (repository) where a security breach has been made public. Then it can be best ignored. Not every threat should be genuine.
