Jump to content
oconnb17

Clam.Html.Exploit.CVE_2015_6075-2 detected w/o IE?

Recommended Posts

Immunet detected Clam.Html.Exploit.CVE_2015_6075-2 on a Windows machine, that does not have IE or Edge installed.

 Isn't this a IE exploit?   

Any other possible triggers or explanations for this?

Thanks

Share this post


Link to post
Share on other sites

You are correct. This detection is normally associated with a vulnerability with Internet Explorer 11 & older versions or, to a lesser degree, some other browser's .css memory data file(s) being corrupted by a specifically crafted malicious web site.

After the browser's memory files have been corrupted that allows remote attackers to execute arbitrary code or cause a denial of service via a forced memory buffer overrun.

It is possible then that the detection is genuine and associated with the browser you actually are currently using if a similar exploitable vulnerability exists.

I'm weighing on the side of caution but this could be just a False Positive by ClamAV. Speaking from experience ClamAV does seem to get more than it's fair share of fp's.

Here's something that might be helpful .You could click on the underlined word Quarantine on the UI -> find the file(s) related to this issue and click on that ->  to the right in the Details dialog window see if those are .tmp (temporary) files.

Actually, if you could upload a screenshot or two of the Details dialog window would even be better.

If you have a newer version of Win 10 it does have an image 'Snipping Tool' included (just type snipping tool in the Search bar). I find this tool is 'less than perfect' to use however.

I use a free third-party app that is 'much better' than the Windows Snipping Tool! it's called FoxArc Screen Capture. This software is not new but I got it installed on my Win 10 Pro x64 OS with no problems. 

Here's a link to download it if you want to give it a try. https://www.softpedia.com/get/Multimedia/Graphic/Graphic-Capture/FoxArc-Screen-Capture.shtml

Share this post


Link to post
Share on other sites

That's the reason why I asked for a screenshot, to see if it was just a .tmp file. I bet it was just a temporary file that your browser uses that no longer exists once the browser was closed. That's the reason for the Quarantine failing. There's no file to Quarantine anymore.

With this new data you provided I firmly believe that "this is indeed a False Positive so you can breathe a little easier!" I would have been much more concerned if it wasn't a .tmp file.

I would suggest you please take the time & submit a False Positive report to the Immunet team here. https://www.immunet.com/false_positive

Since it was a detection by the ClamAV module it's not a bad idea to submit a FP report directly to the ClamAV support team too. https://www.clamav.net/reports/fp

By submitting these FP reports you'll be helping your fellow Immunet users having to deal with the same issue.

Best wishes, Ritchie...

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...