ClamAV Scan found the virus Html.Exploit.CVE_2016_0108 on a .css file. What are the risks? How do I remove the code from the file? Thanks for any help.
Asked
Active
Viewed 1.1k times
3 Answers
2
clamav is notorious for false positives and there is no way to "remove the code from the file" - your only option is to manually review the file yourself or delete the file.
When you get a positive , you need to google search for information
Which gets to - https://clamxav.com/BB/viewtopic.php?p=17793
Up to you to trust that thread or do more research ...
If you need help , read the message / warning from clamav or post the exact message you re getting. You can pastebin the file and perhaps someone will review it.
See https://help.ubuntu.com/community/ClamAV
Clamav doesn't disinfect the files
See also How do I scan for viruses with ClamAV? and http://www.clamav.net/documents/miscellaneous-faq
Can ClamAV disinfect files?
No, it can’t.
1
I received the same alert regarding a few CSS files we had on our server starting yesterday morning. I was unable to get any help since this appears to be a new issue. I've come to the conclusion there is no fix except to white list this signature.
Doing some Googlin' I found that this has to do with an IE 11 vulnerability.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0108
http://www.scip.ch/en/?vuldb.81247
https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-0108
There doesn't seem to be a way to fix this. You can create a white list of virus signatures in the event of false positives. I don't think I'm going to run IE 11 on my Ubuntu server any time soon, so its safe to say you can ignore Html.Exploit.CVE_2016_0108
Following the instructions here I was able to successfully create an ignore list for ClamAV
http://sysnet-adventures.blogspot.com/2013/05/whitelist-files-with-clamav.html
create an ignore file using an editor of your choice, I'm using pico ( .ign2 indicates the new format http://pig.made-it.com/clamav.html )
pico /var/lib/clamav/whitelist-signatures.ign2
And insert the signature
# /var/lib/clamav/whitelist-signatures.ign2
Html.Exploit.CVE_2016_0108
Then run a scan
sudo clamscan -r -i /path/to/dir/
You should see Infected files: 0
Eko3alpha
- 123
1
It seems most agree these are false positives, so best approach would be to submit them as such at http://www.clamav.net/reports/fp
I already did so for a couple of examples I was able to collect in Autoptimize's (CSS & JS optimizer for WordPress) thread on that topic.
frank
futtta
- 111