Chromium Embedded Framework Forum

[Czarek]

Downloaded CEF3.2171.1902 TestApp binaries from cefbuilds.com. ClamAV detects Html.Exploit.CVE_2014_6342 on virustotal.com:
https://www.virustotal.com/en/file/ca56 ... 416947754/

Other .pak files are detected as harmless.
What can we do about it?

[magreenblatt]

You should contact ClamAV and report the false positive.

[Czarek]

I viewed source of cef.pak and there are HTML/JS scripts embedded in it. Any way to identify which part of code is causing this and remove it?

Looks like there are more consequences to it. There are also problems with Symantec because of these suspicious HTML/JS snippets packed in cef.pak. And it gets more complicated with Symantec as it doesn't detect any threat, but it's causing WS.Reputation.1 detection.

Here I've checked my app binaries with cef.pak included and it detects WS.Reputation.1:
https://www.virustotal.com/en/file/16db ... 416942827/

After removing cef.pak from binaries no threat is detected:
https://www.virustotal.com/en/file/a7cf ... 416948302/

WS.Reputation.1 is a detection for files that have a low reputation score based on analyzing data from Symantec’s community of users and therefore are likely to be security risks. Detections of this type are based on Symantec’s reputation-based security technology. Because this detection is based on a reputation score, it does not represent a specific class of threat like adware or spyware, but instead applies to all threat categories.

The reputation-based system uses "the wisdom of crowds" (Symantec’s tens of millions of end users) connected to cloud-based intelligence to compute a reputation score for an application, and in the process identify malicious software in an entirely new way beyond traditional signatures and behavior-based detection techniques.

Reference: http://community.norton.com/forums/clar ... -detection

Even if I report it as false/positive for ClamAV, then I suspect in a week another antivirus will see this file suspicious.

And for Symantec, WS.Reputation.1 would need to be reported for each release of my application, which doesn't look good.

[magreenblatt]

I viewed source of cef.pak and there are HTML/JS scripts embedded in it. Any way to identify which part of code is causing this and remove it?

Not that I know of. Generally companies sign their installers/executables and report false positives to AV providers if there are further issues. Distributing unsigned executables in a zip archive is likely one of the "suspicious" behaviors that AV companies look for.

[Czarek]

After packing the same binaries using 7z instead of zip threat was no more detected by Symantec.