Hi,
I'm now getting some other signed pdf matched by
Pdf.Exploit.CVE_2017_3039-6300177-2
As with the Pdf.Exploit.CVE_2017_3039-6300177-0 it only happens using
the daemon and not clamscan.
Regards
Giuseppe
Il 02/05/2017 09:46, Al Varnell ha scritto:
> I see there is an rewrite in daily 23349 that just posted:
>
>> VIRUS NAME: Pdf.Exploit.CVE_2017_3039-6300177-2
>> TDB: Engine:81-255,Target:10
>> LOGICAL EXPRESSION: 0&1&2=0
>> * SUBSIG ID 0
>> +-> OFFSET: ANY
>> +-> SIGMOD: NONE
>> +-> DECODED SUBSIGNATURE:
>> /Adobe.PPKLite/Location{WILDCARD_ANY_STRING(LENGTH<=290)}/SubFilter
>> * SUBSIG ID 1
>> +-> OFFSET: ANY
>> +-> SIGMOD: NONE
>> +-> DECODED SUBSIGNATURE:
>> /Sig
>> * SUBSIG ID 2
>> +-> OFFSET: ANY
>> +-> SIGMOD: NONE
>> +-> DECODED SUBSIGNATURE:
>> +-> TRIGGER: 0&1
>> +-> REGEX: \x2fSubFilter(.{0,50})\x2fadbe\x2e(.{1,20})\x2fType\s*\x2fSig
>> +-> CFLAGS: sm
>
> -Al-
>
> On Tue, May 02, 2017 at 12:38 AM, Al Varnell wrote:
>>
>> It never appeared on a daily as being dropped, but when I checked on
>> Saturday and again just now, I can't find it:
>>
>>> $ sigtool --find Pdf.Exploit.CVE_2017_3039-6300177-0
>>> $
>>
>> I don't think it is related, but there was an issue with DNS that stopped
>> all updates after 23343 late Saturday until mid morning Monday Pacific Time.
>>
>> -Al-
>>
>> On Tue, May 02, 2017 at 12:27 AM, Vladislav Kurz wrote:
>>>
>>> Hello,
>>>
>>> did you really drop the signature?
>>>
>>> During the weekend scan (clamscan), we got 45 false positives. According
>>> to file names, they seem to be signed official PDF documents from goverment.
>>>
>>> On 04/28/17 17:16, Christopher Marczewski wrote:
>>>> Thanks for the reports. We'll be modifying the signature.
>>>>
>>>> In the interim, I've dropped the current signature.
>>>>
>>>> On Fri, Apr 28, 2017 at 11:01 AM, Vladislav Kurz
>>>> <vladislav.k...@webstep.net
>>>>> wrote:
>>>>
>>>>> I have the same problem, and already submitted a false positive report.
>>>>> In our case it was a signad pdf, so I suspect that the signature makes
>>>>> it FP. But I have no idea how to work around it now. Maybe disable pdf
>>>>> scanning?
>>>>>
>>>>> On 04/28/17 16:47, Giuseppe Ravasio wrote:
>>>>>> Hi,
>>>>>> since this morning daily signature update 23337
>>>>>> and even with the latest one 23338
>>>>>> my amavis flags some emails with PDF attachments as virus:
>>>>>> Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
>>>>>>
>>>>>> Checking the PDF with other AVs and even with clamscan (on the same
>>>>>> server) results in a clean file:
>>>>>>
>>>>>> beppe@thot:/tmp$ clamscan TCA.pdf
>>>>>> TCA.pdf: OK
>>>>>>
>>>>>> ----------- SCAN SUMMARY -----------
>>>>>> Known viruses: 6272759
>>>>>> Engine version: 0.99.2
>>>>>> Scanned directories: 0
>>>>>> Scanned files: 1
>>>>>> Infected files: 0
>>>>>> Data scanned: 0.22 MB
>>>>>> Data read: 0.08 MB (ratio 2.71:1)
>>>>>> Time: 17.277 sec (0 m 17 s)
>>>>>>
>>>>>> if I check the file with clamdscan I get the virus found:
>>>>>> beppe@thot:/tmp$ clamdscan TCA.pdf
>>>>>> /tmp/TCA.pdf: Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
>>>>>>
>>>>>> ----------- SCAN SUMMARY -----------
>>>>>> Infected files: 1
>>>>>> Time: 0.032 sec (0 m 0 s)
>>>>>>
>>>>>> Any hints on how to solve the problem?
>>>>>>
>>>>>> Thanks
>>>>>> Giuseppe
>>>>>> _______________________________________________
>>>>>> clamav-users mailing list
>>>>>> clamav-users@lists.clamav.net
>>>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>>>>>
>>>>>>
>>>>>> Help us build a comprehensive ClamAV guide:
>>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>>
>>>>>> http://www.clamav.net/contact.html#ml
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> clamav-users mailing list
>>>>> clamav-users@lists.clamav.net
>>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>>>>
>>>>>
>>>>> Help us build a comprehensive ClamAV guide:
>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>
>>>>> http://www.clamav.net/contact.html#ml
>>
>> -Al-
>
> -Al-
>
>
>
> _______________________________________________
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
