 |
 | Php.Exploit.CVE |  |
|
davebit
| Joined: 18 Jan 2016 |
| Posts: 0 |
| Location: America |
|
|
 Posted: Tue Mar 22, 2016 12:49 pm |
|
 |
 |
|
|
Just did a scan on C:\, got a bunch of hits for Php.Exploit.CVE across multiple locations; I tried to look it up and found this: https://www.cvedetails.com/cve/2015-2331
I didn't think Java and Android Chrome used PHP.
Search "FOUND" (14 hits in 1 file)
new 0 (14 hits)
Line 464: C:\ProgramData\Oracle\Java\installcache\baseimagefam8: Php.Exploit.CVE_2015_2331-1 FOUND
Line 466: C:\ProgramData\Oracle\Java\installcache_x64\baseimagefam8: Php.Exploit.CVE_2015_2331-1 FOUND
Line 2914: C:\Users\All Users\Oracle\Java\installcache\baseimagefam8: Php.Exploit.CVE_2015_2331-1 FOUND
Line 2916: C:\Users\All Users\Oracle\Java\installcache_x64\baseimagefam8: Php.Exploit.CVE_2015_2331-1 FOUND
Line 3145: C:\Users\Dave\Documents\Computer\Android\HTC One M8\AndroidAssistant_appbackup\Chrome 48.0.2564.95_256409501.apk: Php.Exploit.CVE_2015_2331-1 FOUND
|
|
|
 |
| | |
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Tue Mar 22, 2016 2:43 pm |
|
|
|
|
|
Well, maybe they can render it. Some AVs on Virus Total can spot it, however, so you can verify the file there if you have one.
Most AVs don't do too well at detecting php and other non-Windows PE file malware, except for the commercially-oriented ones.
Regards,
|
|
|
|
ROCKNROLLKID
| Joined: 23 Sep 2013 |
| Posts: 0 |
| Location: **UNKNOWN** |
|
|
| Posted: Tue Mar 22, 2016 11:20 pm |
|
|
|
|
|
If you are concerned there may be an exploit within Java, you might want to consider downloading and install Microsoft's EMET tool. It is designed for stopping exploits and it shields Java by default, but you will need to configure it to shield other applications.
You can download it from here: https://www.microsoft.com/en-us/download/details.aspx?id=50766
Please note, if you are on a Windows 10 system, you must use 5.5 or later as Microsoft added full compatibility for Windows 10 in 5.5.
|
|
|
|
| | |
|
davebit
| Joined: 18 Jan 2016 |
| Posts: 0 |
| Location: America |
|
|
| Posted: Sat Mar 26, 2016 3:38 pm |
|
|
|
|
|
| GuitarBob wrote: |
Well, maybe they can render it. Some AVs on Virus Total can spot it, however, so you can verify the file there if you have one.
Most AVs don't do too well at detecting php and other non-Windows PE file malware, except for the commercially-oriented ones.
Regards, |
PHP is a server-side language; so you're saying Chrome is serving up PHP files from a server on my phone? How would that even work? |
|
|
|
davebit
| Joined: 18 Jan 2016 |
| Posts: 0 |
| Location: America |
|
|
| Posted: Sat Mar 26, 2016 3:39 pm |
|
|
|
|
|
Main question is whether I should delete these files or quarantine them or something else or just not worry about them.
|
|
|
|
ROCKNROLLKID
| Joined: 23 Sep 2013 |
| Posts: 0 |
| Location: **UNKNOWN** |
|
|
| Posted: Sat Mar 26, 2016 6:02 pm |
|
|
|
|
|
I don't use Java, so I do not know what those files are. Do what Bob said, submit them to Virustotal and see what other AVs say before deleting them. https://www.virustotal.com/
As Bob said though, some AVs do not detect exploits. ClamAV usually detects exploits because they get the exploit signatures from Snort and now YARA as of version .99.
|
|
|
|
| | |
|
davebit
| Joined: 18 Jan 2016 |
| Posts: 0 |
| Location: America |
|
|
| Posted: Sun Jun 05, 2016 5:17 pm |
|
|
|
|
|
| ROCKNROLLKID wrote: |
I don't use Java, so I do not know what those files are. Do what Bob said, submit them to Virustotal and see what other AVs say before deleting them. https://www.virustotal.com/
As Bob said though, some AVs do not detect exploits. ClamAV usually detects exploits because they get the exploit signatures from Snort and now YARA as of version .99. |
VirusTotal found nothing, even ClamAV gives it a green checkmark:
https://www.virustotal.com/en/file/0a01e1f33b0dd6af5d71fd26261b97eda1f9da77553704afd0a9d176de733c11/analysis/
Yet ClamWin again said infected: Php.Exploit.CVE_2015_2331-1 FOUND
So... is this an infection or what? |
|
|
|
| | |
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Sun Jun 05, 2016 7:01 pm |
|
|
|
|
|
If ClamWin spots an exploit and other AVs do not, then it is most likely a false postitive. It is also very unusual to spot several infections of the same type--malware usually tries to be unnoticeable, and this certainly looks noticeable. Another tip: look at the date of a file. If it is more than a month old, lots of AVs should spot it if it is real malware.
Regards,
|
|
|
|
| | |
|
davebit
| Joined: 18 Jan 2016 |
| Posts: 0 |
| Location: America |
|
|
| Posted: Sun Jun 05, 2016 9:48 pm |
|
|
|
|
|
| GuitarBob wrote: |
If ClamWin spots an exploit and other AVs do not, then it is most likely a false postitive. It is also very unusual to spot several infections of the same type--malware usually tries to be unnoticeable, and this certainly looks noticeable. Another tip: look at the date of a file. If it is more than a month old, lots of AVs should spot it if it is real malware.
Regards, |
So it's a false positive? It's shown up over several updates; now what? |
|
|
|
| | |
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Mon Jun 06, 2016 12:19 am |
|
|
|
|
|
It's funny that ClamWin spots it but Clam AV does not, since ClamWin uses the signatures/scan engine from Clam AV. Are you also using Clam Sentinel? If you are, and if the "infected" file is detected by Clam Sentinel, you can whitelist the file via Files Not Scanned in the Clam Sentinel advanced options.
If you are not using Clam Sentinel, then it will do not good to report the false positive to Clam AV since Clam did not detect an infection on Virus Total. In that case, whitelist the file in ClamWin via the Tools, Preferences, Filters, Exclude Matching Filenames. Sometimes ClamWin can have a false positive if it is using an older version of the Clam AV scan engine than Clam AV. Clam AV is now using version .99.2, while ClamWin is still using version .99.1--it has not yet updated to the current scan engine. This may be the reason for your problem.
Regards,
|
|
|
| Should we report this somewhere? | |
|
goldie
| Joined: 10 Sep 2016 |
| Posts: 0 |
| Location: ee |
|
|
| Posted: Sat Sep 10, 2016 10:54 pm |
|
|
|
|
|
Detected this on my PC with fresh virusDB, in Java installcache. Good, bad, maybe? How to proceed... Ignore?
!OK, uploaded the 68mb file to clamav as false positive. fingers crossed..
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Sun Sep 11, 2016 12:14 am |
|
|
|
|
|
It may take Clam AV a while to correct a false positive signature. Did you check the file with Virus Total? If not, I suggest that you do so. Virus Total will send any false positives to the AV the detects it--this will probably make the signature more important to Clam AV.
Regards,
|
|
|
|
goldie
| Joined: 10 Sep 2016 |
| Posts: 0 |
| Location: ee |
|
|
| Posted: Sun Sep 11, 2016 12:27 am |
|
|
|
|
|
"This file was last analysed by VirusTotal on 2016-09-10 08:49:14 UTC (15 hours, 36 minutes ago) it was first analysed by VirusTotal on 2014-10-28 10:57:59 UTC. Detection ratio: 0/50"
Weird...
|
|
|
|
ROCKNROLLKID
| Joined: 23 Sep 2013 |
| Posts: 0 |
| Location: **UNKNOWN** |
|
|
| Posted: Sun Sep 11, 2016 12:47 am |
|
|
|
|
|
Is your ClamWin up-to-date? Do a manual update to make sure. I am pretty this was fixed some time ago.
|
|
|
|
goldie
| Joined: 10 Sep 2016 |
| Posts: 0 |
| Location: ee |
|
|
| Posted: Sun Sep 11, 2016 1:24 pm |
|
|
|
|
|
Downloaded and installed CW just yesterday, also checked that DB is up to date.
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
All times are GMT
Page 1 of 1
|
|
|
|
Powered by phpBB © phpBB Group
Design by phpBBStyles.com | Styles Database.
Content © ClamWin Free Antivirus GNU GPL Free Software Open Source Virus Scanner. Free Windows Antivirus. Stay Virus Free with Free Software.
| |
