ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
Php.Exploit.CVE
davebit


Joined: 18 Jan 2016
Posts: 23
Location: America
Reply with quote
Just did a scan on C:\, got a bunch of hits for Php.Exploit.CVE across multiple locations; I tried to look it up and found this: http://www.cvedetails.com/cve/2015-2331

I didn't think Java and Android Chrome used PHP.

Search "FOUND" (14 hits in 1 file)
new 0 (14 hits)
Line 464: C:\ProgramData\Oracle\Java\installcache\baseimagefam8: Php.Exploit.CVE_2015_2331-1 FOUND
Line 466: C:\ProgramData\Oracle\Java\installcache_x64\baseimagefam8: Php.Exploit.CVE_2015_2331-1 FOUND
Line 2914: C:\Users\All Users\Oracle\Java\installcache\baseimagefam8: Php.Exploit.CVE_2015_2331-1 FOUND
Line 2916: C:\Users\All Users\Oracle\Java\installcache_x64\baseimagefam8: Php.Exploit.CVE_2015_2331-1 FOUND
Line 3145: C:\Users\Dave\Documents\Computer\Android\HTC One M8\AndroidAssistant_appbackup\Chrome 48.0.2564.95_256409501.apk: Php.Exploit.CVE_2015_2331-1 FOUND
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4213
Location: USA
Reply with quote
Well, maybe they can render it. Some AVs on Virus Total can spot it, however, so you can verify the file there if you have one.

Most AVs don't do too well at detecting php and other non-Windows PE file malware, except for the commercially-oriented ones.

Regards,
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 561
Location: **UNKNOWN**
Reply with quote
If you are concerned there may be an exploit within Java, you might want to consider downloading and install Microsoft's EMET tool. It is designed for stopping exploits and it shields Java by default, but you will need to configure it to shield other applications.

You can download it from here: https://www.microsoft.com/en-us/download/details.aspx?id=50766

Please note, if you are on a Windows 10 system, you must use 5.5 or later as Microsoft added full compatibility for Windows 10 in 5.5.
View user's profileSend private message
davebit


Joined: 18 Jan 2016
Posts: 23
Location: America
Reply with quote
GuitarBob wrote:
Well, maybe they can render it. Some AVs on Virus Total can spot it, however, so you can verify the file there if you have one.

Most AVs don't do too well at detecting php and other non-Windows PE file malware, except for the commercially-oriented ones.

Regards,


PHP is a server-side language; so you're saying Chrome is serving up PHP files from a server on my phone? How would that even work?
View user's profileSend private message
davebit


Joined: 18 Jan 2016
Posts: 23
Location: America
Reply with quote
Main question is whether I should delete these files or quarantine them or something else or just not worry about them.
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 561
Location: **UNKNOWN**
Reply with quote
I don't use Java, so I do not know what those files are. Do what Bob said, submit them to Virustotal and see what other AVs say before deleting them. https://www.virustotal.com/

As Bob said though, some AVs do not detect exploits. ClamAV usually detects exploits because they get the exploit signatures from Snort and now YARA as of version .99.
View user's profileSend private message
davebit


Joined: 18 Jan 2016
Posts: 23
Location: America
Reply with quote
ROCKNROLLKID wrote:
I don't use Java, so I do not know what those files are. Do what Bob said, submit them to Virustotal and see what other AVs say before deleting them. https://www.virustotal.com/

As Bob said though, some AVs do not detect exploits. ClamAV usually detects exploits because they get the exploit signatures from Snort and now YARA as of version .99.


VirusTotal found nothing, even ClamAV gives it a green checkmark:

https://www.virustotal.com/en/file/0a01e1f33b0dd6af5d71fd26261b97eda1f9da77553704afd0a9d176de733c11/analysis/

Yet ClamWin again said infected: Php.Exploit.CVE_2015_2331-1 FOUND

So... is this an infection or what?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4213
Location: USA
Reply with quote
If ClamWin spots an exploit and other AVs do not, then it is most likely a false postitive. It is also very unusual to spot several infections of the same type--malware usually tries to be unnoticeable, and this certainly looks noticeable. Another tip: look at the date of a file. If it is more than a month old, lots of AVs should spot it if it is real malware.

Regards,
View user's profileSend private message
davebit


Joined: 18 Jan 2016
Posts: 23
Location: America
Reply with quote
GuitarBob wrote:
If ClamWin spots an exploit and other AVs do not, then it is most likely a false postitive. It is also very unusual to spot several infections of the same type--malware usually tries to be unnoticeable, and this certainly looks noticeable. Another tip: look at the date of a file. If it is more than a month old, lots of AVs should spot it if it is real malware.

Regards,


So it's a false positive? It's shown up over several updates; now what?
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4213
Location: USA
Reply with quote
It's funny that ClamWin spots it but Clam AV does not, since ClamWin uses the signatures/scan engine from Clam AV. Are you also using Clam Sentinel? If you are, and if the "infected" file is detected by Clam Sentinel, you can whitelist the file via Files Not Scanned in the Clam Sentinel advanced options.

If you are not using Clam Sentinel, then it will do not good to report the false positive to Clam AV since Clam did not detect an infection on Virus Total. In that case, whitelist the file in ClamWin via the Tools, Preferences, Filters, Exclude Matching Filenames. Sometimes ClamWin can have a false positive if it is using an older version of the Clam AV scan engine than Clam AV. Clam AV is now using version .99.2, while ClamWin is still using version .99.1--it has not yet updated to the current scan engine. This may be the reason for your problem.

Regards,
View user's profileSend private message
Should we report this somewhere?
goldie


Joined: 10 Sep 2016
Posts: 3
Location: ee
Reply with quote
Detected this on my PC with fresh virusDB, in Java installcache. Good, bad, maybe? How to proceed... Ignore?

!OK, uploaded the 68mb file to clamav as false positive. fingers crossed..
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4213
Location: USA
Reply with quote
It may take Clam AV a while to correct a false positive signature. Did you check the file with Virus Total? If not, I suggest that you do so. Virus Total will send any false positives to the AV the detects it--this will probably make the signature more important to Clam AV.

Regards,
View user's profileSend private message
goldie


Joined: 10 Sep 2016
Posts: 3
Location: ee
Reply with quote
"This file was last analysed by VirusTotal on 2016-09-10 08:49:14 UTC (15 hours, 36 minutes ago) it was first analysed by VirusTotal on 2014-10-28 10:57:59 UTC. Detection ratio: 0/50"

Weird...
View user's profileSend private message
ROCKNROLLKID


Joined: 23 Sep 2013
Posts: 561
Location: **UNKNOWN**
Reply with quote
Is your ClamWin up-to-date? Do a manual update to make sure. I am pretty this was fixed some time ago.
View user's profileSend private message
goldie


Joined: 10 Sep 2016
Posts: 3
Location: ee
Reply with quote
Downloaded and installed CW just yesterday, also checked that DB is up to date.
View user's profileSend private message
Php.Exploit.CVE
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic