[clamav-users] LibClamAV Warning

2017-05-02 Thread Rudy Stebih
Hi Folks, I've been getting the following error for a week or so: 'LibClamAV Warning: Bytecode runtime error at line 1226, col 4' I finally found the time to run ClamAV in verbose mode and believe this is the culprit: 'Scanning C:\Program Files (x86)\Applian Director\ClearRegCode.exe' At

Re: [clamav-users] Different results: Clamscan vs ClamWin

2017-05-02 Thread Joel Esler (jesler)
First thing I notice is that you are running two different versions of ClamAV. -- Sent from my iPhone > On May 2, 2017, at 20:08, Rafael Ferreira wrote: > > Can you tell us which virus you encountered? Also can you validate that the > file has the same checksum in both

Re: [clamav-users] Different results: Clamscan vs ClamWin

2017-05-02 Thread Rafael Ferreira
Can you tell us which virus you encountered? Also can you validate that the file has the same checksum in both windows and Linux? > On May 2, 2017, at 2:22 PM, Peter B. wrote: > > Dear Clamav users, > > I was scanning a ZIP file with both: clamscan (on Xubuntu), and

[clamav-users] Different results: Clamscan vs ClamWin

2017-05-02 Thread Peter B.
Dear Clamav users, I was scanning a ZIP file with both: clamscan (on Xubuntu), and clamwin (on Win7). Clamwin found a virus, where clamscan did not. I'm surprised, since I thought these are just 2 frontends for the same engine and virus database? I updated the database on Linux using "$ sudo

Re: [clamav-users] Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd

2017-05-02 Thread Christopher Marczewski
I do see a few alerts for Pdf.Exploit.CVE_2017_3039-6300177-2 on VirusTotal, too. We'll be dropping the signature again & examining further. On Tue, May 2, 2017 at 8:24 AM, Giuseppe Ravasio < giuseppe_rava...@ch.modiano.com> wrote: > Hi, > > I'm now getting some other signed pdf matched by >

Re: [clamav-users] Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd

2017-05-02 Thread Giuseppe Ravasio
Hi, I'm now getting some other signed pdf matched by Pdf.Exploit.CVE_2017_3039-6300177-2 As with the Pdf.Exploit.CVE_2017_3039-6300177-0 it only happens using the daemon and not clamscan. Regards Giuseppe Il 02/05/2017 09:46, Al Varnell ha scritto: > I see there is an rewrite in daily 23349

Re: [clamav-users] Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd

2017-05-02 Thread Al Varnell
I see there is an rewrite in daily 23349 that just posted: > VIRUS NAME: Pdf.Exploit.CVE_2017_3039-6300177-2 > TDB: Engine:81-255,Target:10 > LOGICAL EXPRESSION: 0&1&2=0 > * SUBSIG ID 0 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: >

Re: [clamav-users] Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd

2017-05-02 Thread Al Varnell
It never appeared on a daily as being dropped, but when I checked on Saturday and again just now, I can't find it: > $ sigtool --find Pdf.Exploit.CVE_2017_3039-6300177-0 > $ I don't think it is related, but there was an issue with DNS that stopped all updates after 23343 late Saturday until

Re: [clamav-users] Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd

2017-05-02 Thread Vladislav Kurz
Hello, did you really drop the signature? During the weekend scan (clamscan), we got 45 false positives. According to file names, they seem to be signed official PDF documents from goverment. On 04/28/17 17:16, Christopher Marczewski wrote: > Thanks for the reports. We'll be modifying the