oconnb17 Posted April 8, 2021 Report Share Posted April 8, 2021 Immunet detected Clam.Html.Exploit.CVE_2015_6075-2 on a Windows machine, that does not have IE or Edge installed. Isn't this a IE exploit? Any other possible triggers or explanations for this? Thanks Link to comment Share on other sites More sharing options...
ritchie58 Posted April 9, 2021 Report Share Posted April 9, 2021 You are correct. This detection is normally associated with a vulnerability with Internet Explorer 11 & older versions or, to a lesser degree, some other browser's .css memory data file(s) being corrupted by a specifically crafted malicious web site. After the browser's memory files have been corrupted that allows remote attackers to execute arbitrary code or cause a denial of service via a forced memory buffer overrun. It is possible then that the detection is genuine and associated with the browser you actually are currently using if a similar exploitable vulnerability exists. I'm weighing on the side of caution but this could be just a False Positive by ClamAV. Speaking from experience ClamAV does seem to get more than it's fair share of fp's. Here's something that might be helpful .You could click on the underlined word Quarantine on the UI -> find the file(s) related to this issue and click on that -> to the right in the Details dialog window see if those are .tmp (temporary) files. Actually, if you could upload a screenshot or two of the Details dialog window would even be better. If you have a newer version of Win 10 it does have an image 'Snipping Tool' included (just type snipping tool in the Search bar). I find this tool is 'less than perfect' to use however. I use a free third-party app that is 'much better' than the Windows Snipping Tool! it's called FoxArc Screen Capture. This software is not new but I got it installed on my Win 10 Pro x64 OS with no problems. Here's a link to download it if you want to give it a try. https://www.softpedia.com/get/Multimedia/Graphic/Graphic-Capture/FoxArc-Screen-Capture.shtml Link to comment Share on other sites More sharing options...
oconnb17 Posted April 9, 2021 Author Report Share Posted April 9, 2021 My quarantine failed. So I assume it’s a live exploit in that machine given that it’s unable to be quarantined (in use?). Link to comment Share on other sites More sharing options...
ritchie58 Posted April 10, 2021 Report Share Posted April 10, 2021 That's the reason why I asked for a screenshot, to see if it was just a .tmp file. I bet it was just a temporary file that your browser uses that no longer exists once the browser was closed. That's the reason for the Quarantine failing. There's no file to Quarantine anymore. With this new data you provided I firmly believe that "this is indeed a False Positive so you can breathe a little easier!" I would have been much more concerned if it wasn't a .tmp file. I would suggest you please take the time & submit a False Positive report to the Immunet team here. https://www.immunet.com/false_positive Since it was a detection by the ClamAV module it's not a bad idea to submit a FP report directly to the ClamAV support team too. https://www.clamav.net/reports/fp By submitting these FP reports you'll be helping your fellow Immunet users having to deal with the same issue. Best wishes, Ritchie... Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now