Splunk Enterprise

An issue was found by ClamAV: A virus was detected by ClamAV: FOUND PUA.Html.Exploit.CVE_2014_0322-1

mayankrojo
Explorer

Hello Guys,
I am running app-inspect on my add-on and I am encountering one failure which I am unable to resolve. Please find below the failue. Should not it be false-positive? How to deal with this. 

{
"checks": [
{
"description": "Check that the app does not include viruses.",
"messages": [
{
"code": "reporter.fail(message)",
"filename": "check_viruses.py",
"line": 41,
"message": "An issue was found by ClamAV: A virus was detected by ClamAV: FOUND PUA.Html.Exploit.CVE_2014_0322-1",
"result": "failure",
"message_filename": null,
"message_line": null
}
],
"name": "check_for_viruses",
"tags": [
"splunk_appinspect",
"cloud",
"antivirus",
"private_app"
],
"result": "failure"
}
],
"description": "Malware, viruses, malicious content, user security standards (dynamic checks)",
"name": "check_viruses"
}
 
Thanks & Regards,
Madhuri



Labels (1)

izauer
Explorer

Also here.

The weird thing is that my add-on was inspected and passed but now suddenly it shows this error

An issue was found by ClamAV: A virus was detected by ClamAV: FOUND PUA.Html.Exploit.CVE_2014_0322-1
0 Karma

mayankrojo
Explorer

I deployed multiple add-ons on customer tenant earlier and never came through this failure message. But now when I run those add-ons on app inspect, it shows me this failure. It seems this check has been introduced recently which should be false positive but that is not the case. It seems we have to install clam to find out the exact file. The check "A virus was detected by ClamAV: FOUND PUA.Html.Exploit.CVE_2014_0322-1" is in common.js under appserver/static/js/build.

izauer
Explorer

@mayankrojo  Thanks for the guidance!

 

Did you just remove the file?

0 Karma

mayankrojo
Explorer

Hello,
Coming back to this query again. I removed common.js file which was the culprit according to the response from appinspect. The add-on is passing all the checks in the appinspect and also working fine also without common.js on my tenant. You would find common.js under your app->appserver->static->js->build->common.js

Thanks & Regards,

Madhuri

0 Karma

mayankrojo
Explorer

I will be in the position to throw some light into this by tomorrow. I am trying to delete this file and run an appinspect on top of this. I still have to look and test the behaviour of the add-on by installing it on the tenant and by setting the input. I want to confirm if or not it is calling any function within common.js. I will comment on it by tomorrow.

0 Karma

orcasec
Engager

Same here 

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...