[clamav-users] Win.Exploit.CVE_2016_3301-6210129-0 detected. Could this be a false positive?
Al Varnell
alvarnell at mac.com
Sat Apr 8 10:55:22 UTC 2017
On Sat, Apr 08, 2017 at 03:36 AM, ANANT S ATHAVALE wrote:
>
> Hi List,
>
> One of the .pptx file which was attached is getting detected as VIRUS: Win.Exploit.CVE_2016_3301-6210129-0. As it is a official document and can't to uploaded for submission. How to manually verify?
I don't understand what it is you want to do here.
The signature was added in Daily - 23271 on 5 Apr.
The signature is:
$ sigtool --find Win.Exploit.CVE_2016_3301-6210129-0|sigtool --decode-sigs
VIRUS NAME: Win.Exploit.CVE_2016_3301-6210129-0
TDB: Engine:81-255,Target:0
LOGICAL EXPRESSION: 0&1&2&3
* SUBSIG ID 0
+-> OFFSET: 0
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
l
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
O{WILDCARD_ANY_STRING(LENGTH<=200)}(
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
+-> TRIGGER: 0&1
+-> REGEX: \x28\x00\x00\x00[\x00-\xff][\x00-\xff]\x90[\x04-\xff]
+-> CFLAGS: (null)
* SUBSIG ID 3
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
{WILDCARD_ANY_STRING(LENGTH==4)}
Information on CVE-2016-3301 can be found at <https://nvd.nist.gov/vuln/detail/CVE-2016-3301>.
After that I think you are on your own to decide.
-Al-
--
Al Varnell
Mountain View, CA
ClamXav user
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3569 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20170408/7b65ae9f/attachment.bin>
More information about the clamav-users
mailing list