Topic: Win.Exploit.CVE_2016_3316-1

[hawk]

hi
A problem i have picked up today with a virus, just asking if anyone else had the same issue how you might have resolved the issue,
i first noticed when trying to send an email with a doc attachement, the server rejected the mail saying it has the
Win.Exploit.CVE_2016_3316-1 virus. then i got calls from some my clients with the same issue.
So freeking out i load some AV's and ran scans on my computer nothing, ran scans on my ibays that have docs. nothing
I downloaded the latest clamwin and scanned, bingo hundreds of Doc files with the virus.
So i am assuming this could be one of these false - positives , if i create a new doc with either libre or word with nothing in the doc it scans as having the virus.

What is worring me is that sme using clam to scan will be rejecting all emails with a doc attachemnt and when the clam runs its server scan it will quarantee all the doc files.

Anyone having the same issue?
thanks
john

[warren]

Hi hawk
Got same.

I did following : ( add / whitelist signature to clamav )

Code: [Select]

# echo "Win.Exploit.CVE_2016_3316-1" >> /var/clamav/local.ign2
# chown clamav:clamav /var/clamav/local.ign2
# service clamd restart
Re-sent test email and it came through.

[hawk]

Hi Warren
Worked perfectly,
thanks

[guest22]

all suspected security issues should be reported to security@contribs.org

[hawk]

ok have sent to security
thanks

[warren]

all suspected security issues should be reported to security@contribs.org

Agreed... but think this is more a false-positive issue from clamav  from the mailing lists : http://lists.clamav.net/pipermail/clamav-users/2016-August/003237.html

Alain Zidouemba azidouemba at sourcefire.com
Wed Aug 10 09:52:29 EDT 2016

    Previous message (by thread): [clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?
    Next message (by thread): [clamav-users] False Positive - Win.Exploit.CVE_2016_3316-1?
    Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The offending signature has been dropped from the signature set. This
should be reflected shortly in an upcoming signature update.

- Alain

On Wed, Aug 10, 2016 at 6:10 AM, Al Varnell <alvarnell at mac.com> wrote:

ok have sent to security
thanks

Thanks

[CharlieBrady]

all suspected security issues should be reported to security@contribs.org

I don't see how this would be a security issue. It sounds just to be a false positive virus detection.

[Catton]

Yes, this happened to me too. I added Win.Exploit.CVE_2016_3316-1 to the clamav white-list . that worked. When I ran a clamscan on /var/spool/clamav/quarantine/, I no longer see FOUND Win.Exploit.CVE_2016_3316-1.
I there a way put the false positive files in quarantine back to their original locations. Perhaps someone already has a script.

[Catton]

I searched and found it.
https://forums.contribs.org/index.php?topic=45397.0