On 01/10/2013 04:16 AM, news mq wrote:
sorry
I am perhaps a bit thick!!! :-)
Is the virus BC.Exploit.CVE_2012_0165 CERTAINLY a false positive????
Is it not CERTAINLY dangerous for the PCof my colleague?
but it still remains a problem: my colleague....
1) open a blank word document
2) saves him and sends him to x...@kataweb.it (Italian email service
provider) or to my mail server (with ClamAV) => the message will be
blocked!!!!
(with gmail, hotmail the attachment is forwarded properly without block)
there is a remover for this ..... ??? (if is not a virus...what it is
called???)
thank you for your patience
max
Hi Max,
From your description, it is something that is being inserted into the
document via the Normal.dot template. There are numerous MS Office
malware that infect the default document templates. Normal.dot is the
standard template for a new, blank document. If it is a false positive,
other AV software will not detect and clean the Normal.dot template.
Here is what I would do to test and resolve:
* If you have another machine that creates un-infected documents,
locate the Normal.dot template on that machine and copy it.
* On the infected machine, locate all copies of Normal.dot and
rename or delete them which ever is your preference.
* If you have an un-infected Normal.dot from another machine, copy
it to the template folder AND make it read-only. If you do not
have an un-infected Normal.dot from another machine, using
Notepad, create a blank document and save as Normal.dot in the
template folder. Then make it read-only.
To test after you have a clean Normal.dot or created a blank one using
Notepad, start WinWord and save a blank document. Then email it and see
if it is reported as infected. I would suspect it will be clean. If when
you then close WinWord, it will complain that the Normal.dot is
read-only but you can ignore that for now. If the email document is
clean, you can then remove the read-only on Normal.dot and repeat the
test and see if MS Office is writing something to the .dot files that is
either in fact malware or a false positive that is being detected. On
Office document, the insertion of any macro into a document via the
template will trigger a detection even if the macro is benign.
--
Jim Preston
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
