I do see a few alerts for Pdf.Exploit.CVE_2017_3039-6300177-2 on
VirusTotal, too.
We'll be dropping the signature again & examining further.
On Tue, May 2, 2017 at 8:24 AM, Giuseppe Ravasio <
giuseppe_rava...@ch.modiano.com> wrote:
> Hi,
>
> I'm now getting some other signed pdf matched by
> Pdf
Hi,
I'm now getting some other signed pdf matched by
Pdf.Exploit.CVE_2017_3039-6300177-2
As with the Pdf.Exploit.CVE_2017_3039-6300177-0 it only happens using
the daemon and not clamscan.
Regards
Giuseppe
Il 02/05/2017 09:46, Al Varnell ha scritto:
> I see there is an rewrite in daily 23349 tha
I see there is an rewrite in daily 23349 that just posted:
> VIRUS NAME: Pdf.Exploit.CVE_2017_3039-6300177-2
> TDB: Engine:81-255,Target:10
> LOGICAL EXPRESSION: 0&1&2=0
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> /Adobe.PPKLite/Location{WILDCARD_ANY_STRI
It never appeared on a daily as being dropped, but when I checked on Saturday
and again just now, I can't find it:
> $ sigtool --find Pdf.Exploit.CVE_2017_3039-6300177-0
> $
I don't think it is related, but there was an issue with DNS that stopped all
updates after 23343 late Saturday until mi
Hello,
did you really drop the signature?
During the weekend scan (clamscan), we got 45 false positives. According
to file names, they seem to be signed official PDF documents from goverment.
On 04/28/17 17:16, Christopher Marczewski wrote:
> Thanks for the reports. We'll be modifying the signat
Thanks for the reports. We'll be modifying the signature.
In the interim, I've dropped the current signature.
On Fri, Apr 28, 2017 at 11:01 AM, Vladislav Kurz wrote:
> I have the same problem, and already submitted a false positive report.
> In our case it was a signad pdf, so I suspect that th
I have the same problem, and already submitted a false positive report.
In our case it was a signad pdf, so I suspect that the signature makes
it FP. But I have no idea how to work around it now. Maybe disable pdf
scanning?
On 04/28/17 16:47, Giuseppe Ravasio wrote:
> Hi,
> since this morning dail
Hi,
since this morning daily signature update 23337
and even with the latest one 23338
my amavis flags some emails with PDF attachments as virus:
Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
Checking the PDF with other AVs and even with clamscan (on the same
server) results in a clean file:
beppe@th