VBS/ACE.C and ZapProxy
100 views
Skip to first unread message
michae...@gmail.com
Feb 13, 2019, 5:54:12 PM2/13/19
to OWASP ZAP User Group
So, I have installed Zed on a Windows 10 machine.
I installed the fuzzerDB extension. After the extension finished installing, Windows Defender burped and notified me of malware, VBS/ACE.C installed from FuzzerDB.
At present I am assuming it is a false positive, and some code from the fuzzer is actually used in malware thus triggering an alert from Windows Defender.
Has anyone else experienced this?
kingthorin+owaspzap
Feb 13, 2019, 7:02:11 PM2/13/19
to OWASP ZAP User Group
Yup it's a known issue, there are some files you can use as backdoors, AV solutions don't like them.
hauschu...@gmail.com
Feb 14, 2019, 6:47:05 AM2/14/19
to OWASP ZAP User Group
In case you want to get rid of them, they are easy to find, but they are located in two places, and if you don't remove both, ZAP will repopulate them when it starts up again and set off all of the AV errors.
You will need to remove them from .../OWASP ZAP/fuzzers/fuzzdb/(problemFiles) as well as ../OWASP ZAP/plugin/(problemFiles).zap
on windows anyway...
Note that removing the fuzzdb plugin file doesn't effect anything else, since when the add-on was added the payloads were added to the fuzzer folder where they are accessed from and the .zap file itself is not functional during the use of the fuzzer.
Also, if Windows Defender only notified you of one malware, you should probably update it because FuzzDB should trigger at least 50....just to be safe! Or maybe our enterprise version is running some custom definitions that aren't standard?? Either way, can't hurt to look!
laksh
Feb 19, 2019, 5:55:37 AM2/19/19
to OWASP ZAP User Group
We are also facing similar issue and trying to remove files from plugin folder.
Thanks for the details how to remove problemFiles, however unable to locate .zap files which should point to web-backdoors folder under fuzzdb. Could you please help which .zap file would refer to web-backdoors folder's files of fuzzdb.
Thanks for the details how to remove problemFiles, however unable to locate .zap files which should point to web-backdoors folder under fuzzdb. Could you please help which .zap file would refer to web-backdoors folder's files of fuzzdb.
hauschu...@gmail.com
Feb 19, 2019, 6:40:07 AM2/19/19
to OWASP ZAP User Group
I don't remember the whole file name since I removed it a little while ago....but I think it was fuzz-beta-10.zap
thc...@gmail.com
Feb 19, 2019, 6:50:02 AM2/19/19
to zaprox...@googlegroups.com
It is called fuzzdb-release-4.zap
(That one if the fuzzer add-on.)
Best regards.
(That one if the fuzzer add-on.)
Best regards.
kingthorin+owaspzap
Feb 19, 2019, 7:34:38 AM2/19/19
to OWASP ZAP User Group
Note a .zap is just an archive (zip) you can open it with 7zip or any number of tools.
Reply all
Reply to author
Forward
0 new messages