ClamAV Scan found the virus Html.Exploit.CVE_2016_0108 on a .css file. What are the risks? How do I remove the code from the file? Thanks for any help.
Asked
Active
Viewed 1.1k times
0
-
in a CSS?! How is that suppose to infect your system? Can anyone explain the concept? – Rinzwind Mar 09 '16 at 17:58
-
1CSS stylesheet files are used in web-browsers for formatting. Technically they are harmless, unless that file is masquerading itself with that .css extension. I would open the file in text editor and just read the source code for potential threats. Otherwise, really nothing to worry about – Sergiy Kolodyazhnyy Mar 09 '16 at 18:05
-
2and since Linux does not really care about extensions .... Oh: and windows only-> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0108 – Rinzwind Mar 09 '16 at 18:19
-
What CSS-file was that Fernando? I'm Autoptimize's developer and have 2 users reporting this problem with the aggregated/ optimized CSS and would like to investigate (and possibly submitt this as a false positive, if/ when confirmed). – futtta Mar 10 '16 at 09:07
3 Answers
2
clamav is notorious for false positives and there is no way to "remove the code from the file" - your only option is to manually review the file yourself or delete the file.
When you get a positive , you need to google search for information
Which gets to - https://clamxav.com/BB/viewtopic.php?p=17793
Up to you to trust that thread or do more research ...
If you need help , read the message / warning from clamav or post the exact message you re getting. You can pastebin the file and perhaps someone will review it.
See https://help.ubuntu.com/community/ClamAV
Clamav doesn't disinfect the files
See also How do I scan for viruses with ClamAV? and http://www.clamav.net/documents/miscellaneous-faq
Can ClamAV disinfect files?
No, it can’t.
1
I received the same alert regarding a few CSS files we had on our server starting yesterday morning. I was unable to get any help since this appears to be a new issue. I've come to the conclusion there is no fix except to white list this signature.
Doing some Googlin' I found that this has to do with an IE 11 vulnerability.
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0108
http://www.scip.ch/en/?vuldb.81247
https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-0108
There doesn't seem to be a way to fix this. You can create a white list of virus signatures in the event of false positives. I don't think I'm going to run IE 11 on my Ubuntu server any time soon, so its safe to say you can ignore Html.Exploit.CVE_2016_0108
Following the instructions here I was able to successfully create an ignore list for ClamAV
http://sysnet-adventures.blogspot.com/2013/05/whitelist-files-with-clamav.html
create an ignore file using an editor of your choice, I'm using pico ( .ign2 indicates the new format http://pig.made-it.com/clamav.html )
pico /var/lib/clamav/whitelist-signatures.ign2
And insert the signature
# /var/lib/clamav/whitelist-signatures.ign2
Html.Exploit.CVE_2016_0108
Then run a scan
sudo clamscan -r -i /path/to/dir/
You should see Infected files: 0
Eko3alpha
- 123
1
It seems most agree these are false positives, so best approach would be to submit them as such at http://www.clamav.net/reports/fp
I already did so for a couple of examples I was able to collect in Autoptimize's (CSS & JS optimizer for WordPress) thread on that topic.
frank
futtta
- 111
-
Oh nice! This is certainly a better approach, but in the mean time I'll be whitelisting. I don't need any more calls wondering why we're getting these Infection alerts via email! I also provided our sample CSS files that were triggering the false positives. Thanks for the link! – Eko3alpha Mar 10 '16 at 18:34
-
@Eko3alpha; just had a confirmation mail from Clam AV, pretty vague though. would be great if you could confirm tomorrow if your CSS-files are still being flagged? – futtta Mar 11 '16 at 19:21
-
1I removed Html.Exploit.CVE_2016_0108 from the white list and ran the scan. I can confirm that the CSS files no longer trigger a false positive! – Eko3alpha Mar 11 '16 at 19:27