Jump to content

AVAST reporting an infection in a document but not Malwarebytes


Recommended Posts

I've received a MS Word document with multiple imbedded png images. That same document was sent to a customer who's running Avast Free for his malware protection.

The customer running Avast Free reports that 4 of the imbedded images are infected with the Adobe CVE-2017-16384 virus.

When I scan the same document with Malwarebytes Corporate it reports nothing.

The customer states that images N3a, N3b, N4 and N5 are infected. File attached.

I'm hoping someone can confirm whether or not these images are in fact infected and if they are then why isn't Malwarebytes picking it up.

Paul

 

Annex N_r10.docx

Link to post
Share on other sites

3 minutes ago, PaulLabelle said:

why isn't Malwarebytes picking it up.

Malwarebytes does not target script files. That means MB will not target; JS, HTML, VBS, .CLASS, SWF, BAT, CMD, PDF, PHP, etc.

It also does not target documents such as; PDF, DOC, DOCx, XLS, XLSx, PPT, PPS, ODF, etc.

It also does not target media files;  MP3, WMV, JPG, GIF, etc.

 

MB is designed to stop it when executed with the exploit or web-protection or detect the payload when downloaded by the script..

Edited by Porthos
Link to post
Share on other sites

"... infected with the Adobe CVE-2017-16384 virus ..."

You are misinterpreting the information and making a faux conclusion.

The text "CVE-2017-16384" means there is a recorded and "Known Vulnerability" involved in the detection and is listed in the Common Vulnerabilities And Exposures (CVE ) database maintained by MITRE.  It was the vulnerability number 16,384 found in the year 2017 and that is how you get the nomenclature "CVE-2017-16384".

It is wide misperception that all that is bad are viruses.  Viruses are but a small part of the malware arena.  Malware is the overarching concept of malicious software and that is broken down to three major sub-types;  Viruses, Trojans and Exploits.

The following is the Virus Total Report URL on the DOCx file

https://www.virustotal.com/en/file/b171170cab83ef9cdb6ee5af2941ae78dd11b749969eabca480de2fcc25a5444/analysis/1516827180/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16384

"An issue was discovered in Adobe Acrobat and Reader: 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, and 11.0.22 and earlier versions. The vulnerability is caused by a buffer over-read in the exif processing module for a PNG file (during XPS conversion). Invalid input leads to a computation where pointer arithmetic results in a location outside valid memory locations belonging to the buffer. An attack can be used to obtain sensitive information, such as object heap addresses, etc. "

The Avast detection name is specifically;   PNG:CVE-2017-16384 [Expl]

From that we see it s identifying exploit code in embedded PNG graphics.  In the above CVE writeup it indicates "An issue was discovered in Adobe Acrobat and Reader:"  This is a MS Word document so if this was true, then the vulnerability noted in Adobe Reader and Acrobat is not present.  Looking at this DOC file, it is  a writeup on a complex concept in Physics and discusses the concept at a high level which makes me believe this is a False Positive by AVG and Avast.  Just to make sure, I ran this through MS Word 2010 and saw no malicious activity.

   
Edited by David H. Lipman
Spelling, Grammar and Clarification
Link to post
Share on other sites

It didn't.  The signatures that Avast/AVG ( now one company ) employed is flawed.  If this was a true document exploiting this vulnerability, it would be a PDF and since this is a 2017 noted vulnerability, other vendors would also make a similar detection.

I came do the conclusion this is a False Positive based upon...

  • The contents of the file
  • The fact this CVE is indicative of Adobe Reader and Adobe Acrobat products and this was a MS Word file.
  • Only one vendor made this detection noting Avast and AVG are now one company
  • The fact that other vendors did not corroborate a detection on a what is essentially a not so new vulnerability exploit ( from 2017 ).

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.