Knowledgebase:
VPOP3AV Virus scanner false positive - Win.Exploit.CVE_2016_3316-1
Posted by Paul Smith on 10 August 2016 11:06 AM
> Today we have several incoming mails with attachments removed
> because of Win.Exploit.CVE_2016_3316-1 
> and one of our outbound emails was denied transmission for the
> same reason.
>
>
> Could this be a false positive? I can't get the Word doc to show as
> infected when scanned with either AVG or Windows Defender.

That exploit is a new one, so it could be a false positive, or it could be that AVG/Defender haven't been updated for it yet.

Looking around, it looks as if there has been a false positive situation found when creating documents using LibreOffice, so I don't know if you're doing that or using Microsoft Word. That should be fixed in an upcoming update.

If you didn't create it using LibreOffice then we'll need a sample so we can submit it as a false positive report. Put it in an password-protected ZIP file and send it to us and I'll get it submitted.

In the meantime, if you make a file 'whitelist.ign2' in the VPOP3\plugins\vpop3av\db folder and add the line

Win.Exploit.CVE_2016_3316-1

to it, then the virus scanner will ignore that virus signature

A description of the exploit being detected is here: https://technet.microsoft.com/en-us/library/security/ms16-099.aspx
(0 vote(s))
Helpful
Not helpful

Comments (0)