[clamav-users] Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd

Vladislav Kurz vladislav.kurz at webstep.net
Fri Apr 28 11:01:21 EDT 2017


I have the same problem, and already submitted a false positive report.
In our case it was a signad pdf, so I suspect that the signature makes
it FP. But I have no idea how to work around it now. Maybe disable pdf
scanning?

On 04/28/17 16:47, Giuseppe Ravasio wrote:
> Hi,
> since this morning daily signature update 23337
> and even with the latest one 23338
> my amavis flags some emails with PDF attachments as virus:
> Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
> 
> Checking the PDF with other AVs and even with clamscan (on the same
> server) results in a clean file:
> 
> beppe at thot:/tmp$ clamscan TCA.pdf
> TCA.pdf: OK
> 
> ----------- SCAN SUMMARY -----------
> Known viruses: 6272759
> Engine version: 0.99.2
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.22 MB
> Data read: 0.08 MB (ratio 2.71:1)
> Time: 17.277 sec (0 m 17 s)
> 
> if I check the file with clamdscan I get the virus found:
> beppe at thot:/tmp$ clamdscan TCA.pdf
> /tmp/TCA.pdf: Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
> 
> ----------- SCAN SUMMARY -----------
> Infected files: 1
> Time: 0.032 sec (0 m 0 s)
> 
> Any hints on how to solve the problem?
> 
> Thanks
> Giuseppe
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 




More information about the clamav-users mailing list