Hi, I'm now getting some other signed pdf matched by Pdf.Exploit.CVE_2017_3039-6300177-2
As with the Pdf.Exploit.CVE_2017_3039-6300177-0 it only happens using the daemon and not clamscan. Regards Giuseppe Il 02/05/2017 09:46, Al Varnell ha scritto: > I see there is an rewrite in daily 23349 that just posted: > >> VIRUS NAME: Pdf.Exploit.CVE_2017_3039-6300177-2 >> TDB: Engine:81-255,Target:10 >> LOGICAL EXPRESSION: 0&1&2=0 >> * SUBSIG ID 0 >> +-> OFFSET: ANY >> +-> SIGMOD: NONE >> +-> DECODED SUBSIGNATURE: >> /Adobe.PPKLite/Location{WILDCARD_ANY_STRING(LENGTH<=290)}/SubFilter >> * SUBSIG ID 1 >> +-> OFFSET: ANY >> +-> SIGMOD: NONE >> +-> DECODED SUBSIGNATURE: >> /Sig >> * SUBSIG ID 2 >> +-> OFFSET: ANY >> +-> SIGMOD: NONE >> +-> DECODED SUBSIGNATURE: >> +-> TRIGGER: 0&1 >> +-> REGEX: \x2fSubFilter(.{0,50})\x2fadbe\x2e(.{1,20})\x2fType\s*\x2fSig >> +-> CFLAGS: sm > > -Al- > > On Tue, May 02, 2017 at 12:38 AM, Al Varnell wrote: >> >> It never appeared on a daily as being dropped, but when I checked on >> Saturday and again just now, I can't find it: >> >>> $ sigtool --find Pdf.Exploit.CVE_2017_3039-6300177-0 >>> $ >> >> I don't think it is related, but there was an issue with DNS that stopped >> all updates after 23343 late Saturday until mid morning Monday Pacific Time. >> >> -Al- >> >> On Tue, May 02, 2017 at 12:27 AM, Vladislav Kurz wrote: >>> >>> Hello, >>> >>> did you really drop the signature? >>> >>> During the weekend scan (clamscan), we got 45 false positives. According >>> to file names, they seem to be signed official PDF documents from goverment. >>> >>> On 04/28/17 17:16, Christopher Marczewski wrote: >>>> Thanks for the reports. We'll be modifying the signature. >>>> >>>> In the interim, I've dropped the current signature. >>>> >>>> On Fri, Apr 28, 2017 at 11:01 AM, Vladislav Kurz >>>> <vladislav.k...@webstep.net >>>>> wrote: >>>> >>>>> I have the same problem, and already submitted a false positive report. >>>>> In our case it was a signad pdf, so I suspect that the signature makes >>>>> it FP. But I have no idea how to work around it now. Maybe disable pdf >>>>> scanning? >>>>> >>>>> On 04/28/17 16:47, Giuseppe Ravasio wrote: >>>>>> Hi, >>>>>> since this morning daily signature update 23337 >>>>>> and even with the latest one 23338 >>>>>> my amavis flags some emails with PDF attachments as virus: >>>>>> Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND >>>>>> >>>>>> Checking the PDF with other AVs and even with clamscan (on the same >>>>>> server) results in a clean file: >>>>>> >>>>>> beppe@thot:/tmp$ clamscan TCA.pdf >>>>>> TCA.pdf: OK >>>>>> >>>>>> ----------- SCAN SUMMARY ----------- >>>>>> Known viruses: 6272759 >>>>>> Engine version: 0.99.2 >>>>>> Scanned directories: 0 >>>>>> Scanned files: 1 >>>>>> Infected files: 0 >>>>>> Data scanned: 0.22 MB >>>>>> Data read: 0.08 MB (ratio 2.71:1) >>>>>> Time: 17.277 sec (0 m 17 s) >>>>>> >>>>>> if I check the file with clamdscan I get the virus found: >>>>>> beppe@thot:/tmp$ clamdscan TCA.pdf >>>>>> /tmp/TCA.pdf: Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND >>>>>> >>>>>> ----------- SCAN SUMMARY ----------- >>>>>> Infected files: 1 >>>>>> Time: 0.032 sec (0 m 0 s) >>>>>> >>>>>> Any hints on how to solve the problem? >>>>>> >>>>>> Thanks >>>>>> Giuseppe >>>>>> _______________________________________________ >>>>>> clamav-users mailing list >>>>>> clamav-users@lists.clamav.net >>>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >>>>>> >>>>>> >>>>>> Help us build a comprehensive ClamAV guide: >>>>>> https://github.com/vrtadmin/clamav-faq >>>>>> >>>>>> http://www.clamav.net/contact.html#ml >>>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> clamav-users mailing list >>>>> clamav-users@lists.clamav.net >>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >>>>> >>>>> >>>>> Help us build a comprehensive ClamAV guide: >>>>> https://github.com/vrtadmin/clamav-faq >>>>> >>>>> http://www.clamav.net/contact.html#ml >> >> -Al- > > -Al- > > > > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml