Closed xblack199 closed 1 year ago
is this because of the multiple users using the same server and chrome?
hi! can you paste the full scan report? also, check the FAQ, especially:
loki_JPW-OL5-WAP06_2022-06-27_19-18-21.log
here is the full loki report scan_report.txt
here are the reports
ok, thanks. can send me the whole directory (process_<pid>
), including the dumped chrome binary. you can pack it and attach here, or if it doesn't work, please send to my e-mail: hasherezade-at-protonmail.com
@xblack199 - from the scan report it seems that indeed this chrome executable was replaced by a different one:
"scans" : [
{
"mapping_scan" : {
"module" : "7ff709870000",
"module_file" : "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
"mapped_file" : "C:\\Program Files\\Google\\Chrome\\Temp\\scoped_dir27748_1322145550\\old_chrome.exe",
"status" : 1
}
},
{
"headers_scan" : {
"module" : "7ff709870000",
"module_size" : "28f000",
"module_file" : "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
"status" : 1,
"is_connected_to_peb" : 1,
"is_pe_replaced" : 1,
"dos_hdr_modified" : 0,
"file_hdr_modified" : 1,
"nt_hdr_modified" : 1,
"ep_modified" : 1,
"sec_hdr_modified" : 1
}
}
maybe this replacement was done for a legitimate reason, but PE-sieve is not to judge the reasons, but to provide the indicators - and it did its job.
If you can share with me the dumped executables, I will check them. To me it looks like some backward compatibility - an app old_chrome.exe
was mapped and attached to the PEB instead of chrome.exe
...
if this disturbs you, you can disable scanning chrome.exe by /mignore chrome.exe
- details here
I found 14 alerts while checking with hollows-hunter
all of them are regarded chrome.exe
replaced the module file with mapped file.
is this a false positive?
by the way I found these warnings in multiple servers