Jump to content
marjetika

What is CVE_2016_3271-2?

Recommended Posts

I'm getting this error:

Quote

 

 <some letters and numbers>.tmp has been detected as Clam.Html.Exploit.CVE_2016_3271-2. Quarantine failed.

 

I tried searching for the file name, but it doesn't exist.

There are two such hits, both listing a file with some random name, located in  $HOME\AppData\Local\Temp - which doesn't exist.

Do I have a problem? Is it a fp?

Share this post


Link to post
Share on other sites

I did some of my own research and found some troubling information regarding CVE-2016-3271. 

The VBScript engine in Microsoft Edge allows remote attackers to obtain sensitive information from process memory via a crafted web site, aka "Scripting Engine Information Disclosure Vulnerability."

Where you using or closed the Edge browser when this happened? If that's the case you may have accessed a malicious web site that accessed your browser!

More info regarding this vulnerability can be found at this www.security-database.com URL https://www.security-database.com/detail.php?alert=CVE-2016-3271

Share this post


Link to post
Share on other sites
On 1/8/2021 at 2:47 AM, ritchie58 said:

Where you using or closed the Edge browser when this happened? If that's the case you may have accessed a malicious web site that accessed your browser!

I don't know if I was using Edge. I do occasionally open it for testing.

I just downloaded the latest version of Immunet. Will that fix the problem?

Share this post


Link to post
Share on other sites

Since you've posted two encounters with a quarantine response I still would highly recommend that you perform a "Full Scan" of your entire OS just to weigh on the side of caution. 

Also, with the Edge browser you can store log-in/password information to auto fill in that info next time you visit that site. If you were using that feature you might want to consider changing your log-in info for any sites you accessed & logged into with Edge.

Best wishes, Ritchie...

Share this post


Link to post
Share on other sites
On 1/11/2021 at 4:07 PM, ritchie58 said:

Since you've posted two encounters with a quarantine response I still would highly recommend that you perform a "Full Scan" of your entire OS just to weigh on the side of caution. 

Also, with the Edge browser you can store log-in/password information to auto fill in that info next time you visit that site. If you were using that feature you might want to consider changing your log-in info for any sites you accessed & logged into with Edge.

Best wishes, Ritchie...

I perform a "Full Scan" every night. Also, I just installed new version of Immunet again yesterday.

And this thing still keeps popping up.

Share this post


Link to post
Share on other sites

Hi marjetika,

After a few other Immunet users reported the same detection not long ago I did a little more research about this possible exploit. I found out that this vulnerability to Edge was first reported all the way back in 2016! Given that fact I'm sure that Microsoft has issued a security patch for Edge by now.

Also since this is a ClamAV detection I advised that they report this False Positive directly to the ClamAV Support team. I would encourage you to do the same.

Here's a URL to Clam's FP reporting page. https://www.clamav.net/reports/fp

Since I'm now certain this detection is a 'False Positive' you could try to use the Restore feature next time it happens. That may or may not help though since the file directories involved are .tmp (temporary) files, the Quarantine may fail which makes it impossible to restore.

Another option would be to manually type in the exact file path of the detection to create a custom Exclusion rule with Immunet to stop the FP detections.

I don't think it's necessary to continue to run a Full Scan every night marjetika. Personally, I do a scheduled Flash Scan everyday since it's fast and looks at the most critical areas of your OS that malware likes to hide. I only run a Full Scan on occasion or if I observe suspicious activity that warrants further investigation.

I hope this info helps,
Ritchie...

Share this post


Link to post
Share on other sites

Hey Dad,

Like I suggested to marjetika please submit a False Positive report to the ClamAV Support team at the included link I provided in my last thread to this topic.

Still using Win 7? I'm sure you're aware that Microsoft has stopped all support, including security patches, for this platform well over a year ago now. That leaves your computer increasingly more vulnerable to hackers, zero-day attacks, ransomware, viruses & other forms of malware as time progresses. You should seriously consider upgrading your OS to Win 10 Dad.

I went from 7 to 10 & the transition wasn't as difficult as I thought it might be. Then again, going from one OS to another isn't really anything new to me since my very first PC had Windows ME installed. That seems like another lifetime ago, lol!

Regards, Ritchie...

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...