Re: [clamav-users] Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd

I do see a few alerts for Pdf.Exploit.CVE_2017_3039-6300177-2 on VirusTotal, too. We'll be dropping the signature again & examining further. On Tue, May 2, 2017 at 8:24 AM, Giuseppe Ravasio < giuseppe_rava...@ch.modiano.com> wrote: > Hi, > > I'm now getting some other signed pdf matched by > Pdf

Re: [clamav-users] Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd

Hi, I'm now getting some other signed pdf matched by Pdf.Exploit.CVE_2017_3039-6300177-2 As with the Pdf.Exploit.CVE_2017_3039-6300177-0 it only happens using the daemon and not clamscan. Regards Giuseppe Il 02/05/2017 09:46, Al Varnell ha scritto: > I see there is an rewrite in daily 23349 tha

Re: [clamav-users] Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd

I see there is an rewrite in daily 23349 that just posted: > VIRUS NAME: Pdf.Exploit.CVE_2017_3039-6300177-2 > TDB: Engine:81-255,Target:10 > LOGICAL EXPRESSION: 0&1&2=0 > * SUBSIG ID 0 > +-> OFFSET: ANY > +-> SIGMOD: NONE > +-> DECODED SUBSIGNATURE: > /Adobe.PPKLite/Location{WILDCARD_ANY_STRI

Re: [clamav-users] Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd

It never appeared on a daily as being dropped, but when I checked on Saturday and again just now, I can't find it: > $ sigtool --find Pdf.Exploit.CVE_2017_3039-6300177-0 > $ I don't think it is related, but there was an issue with DNS that stopped all updates after 23343 late Saturday until mi

Re: [clamav-users] Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd

Hello, did you really drop the signature? During the weekend scan (clamscan), we got 45 false positives. According to file names, they seem to be signed official PDF documents from goverment. On 04/28/17 17:16, Christopher Marczewski wrote: > Thanks for the reports. We'll be modifying the signat

Re: [clamav-users] Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd

Thanks for the reports. We'll be modifying the signature. In the interim, I've dropped the current signature. On Fri, Apr 28, 2017 at 11:01 AM, Vladislav Kurz wrote: > I have the same problem, and already submitted a false positive report. > In our case it was a signad pdf, so I suspect that th

Re: [clamav-users] Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd

I have the same problem, and already submitted a false positive report. In our case it was a signad pdf, so I suspect that the signature makes it FP. But I have no idea how to work around it now. Maybe disable pdf scanning? On 04/28/17 16:47, Giuseppe Ravasio wrote: > Hi, > since this morning dail

[clamav-users] Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd

Hi, since this morning daily signature update 23337 and even with the latest one 23338 my amavis flags some emails with PDF attachments as virus: Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND Checking the PDF with other AVs and even with clamscan (on the same server) results in a clean file: beppe@th