It does not match the signature for Exploit.PDF.CVE_2009_4324. It’s looking for a two part signature:
In your document there are spaces in the string "/S /JavaScript /JS” which are not in the signature. Your document contains the string "media.newPlayer(null)” whereas the signature is looking for “this.” in front of it. Submit your document for possible addition of new or revised signature. -Al- On Tue, Jul 28, 2015 at 03:01 AM, P K wrote: > > Hi Guys, > > Still waiting for an answer. > > On Thu, Jul 23, 2015 at 8:21 PM, P K <pkopen...@gmail.com> wrote: > >> Hi Guys, >> >> I am testing clamav in my local system to detect POST data's from network. >> I am newbie in ClamAv and want to test with real time signatures. >> >> I tested with Eicher Test Signature and it works fine. >> >> *But ClamAv is unable to detect CVE-2009-4324 with pdf.* >> >> I see signature is present in daily.cld and if extracted its present in >> daily.ldb. >> Gmail able to detect same pdf as virus. >> >> Any help on what wrong in my ClamAv system and to fix it. >> >> $ clamscan ~/anti/eicar.com.txt >> */home/pk/anti/eicar.com.txt: Eicar-Test-Signature FOUND* >> >> ----------- SCAN SUMMARY ----------- >> Known viruses: 3898123 >> Engine version: 0.98.6 >> Scanned directories: 0 >> Scanned files: 1 >> Infected files: 1 >> Data scanned: 0.00 MB >> Data read: 0.00 MB (ratio 0.00:1) >> Time: 6.480 sec (0 m 6 s) <--------------- took 6sec to detect normal >> virus >> >> $ clamscan ~/anti_new/virus/exploit.pdf >> >> */home/pk/anti_new/virus/exploit.pdf: OK* >> ----------- SCAN SUMMARY ----------- >> Known viruses: 3898123 >> Engine version: 0.98.6 >> Scanned directories: 0 >> Scanned files: 1 >> Infected files: 0 >> Data scanned: 0.00 MB >> Data read: 0.00 MB (ratio 0.00:1) >> Time: 8.100 sec (0 m 8 s) >> >> I generated above virus using this link - >> http://www.decalage.info/exefilter_pdf_exploits >> >> I really want to learn ClamAv virus detection and try to enhance it. >> >> Thanks >> --PK _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
