[clamav-users] Win.Exploit.CVE_2016_3301-6210129-0 detected. Could this be a false positive?

Al Varnell alvarnell at mac.com
Sat Apr 8 06:55:22 EDT 2017


On Sat, Apr 08, 2017 at 03:36 AM, ANANT S ATHAVALE wrote:
> 
> Hi List,
> 
> One of the .pptx file which was attached is getting detected as VIRUS: Win.Exploit.CVE_2016_3301-6210129-0.  As it is a official document and can't to uploaded for submission.  How to manually verify?

I don't understand what it is you want to do here.

The signature was added in Daily - 23271 on 5 Apr.

The signature is:
$ sigtool --find Win.Exploit.CVE_2016_3301-6210129-0|sigtool --decode-sigs
VIRUS NAME: Win.Exploit.CVE_2016_3301-6210129-0
TDB: Engine:81-255,Target:0
LOGICAL EXPRESSION: 0&1&2&3
 * SUBSIG ID 0
 +-> OFFSET: 0
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
l
 * SUBSIG ID 1
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
O{WILDCARD_ANY_STRING(LENGTH<=200)}(
 * SUBSIG ID 2
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
     +-> TRIGGER: 0&1
     +-> REGEX: \x28\x00\x00\x00[\x00-\xff][\x00-\xff]\x90[\x04-\xff]
     +-> CFLAGS: (null)
 * SUBSIG ID 3
 +-> OFFSET: ANY
 +-> SIGMOD: NONE
 +-> DECODED SUBSIGNATURE:
{WILDCARD_ANY_STRING(LENGTH==4)}

Information on CVE-2016-3301 can be found at <https://nvd.nist.gov/vuln/detail/CVE-2016-3301>.

After that I think you are on your own to decide.

-Al-
-- 
Al Varnell
Mountain View, CA
ClamXav user


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3569 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20170408/7b65ae9f/attachment.bin>


More information about the clamav-users mailing list