[clamav-users] Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd

Christopher Marczewski cmarczewski at sourcefire.com
Fri Apr 28 11:16:39 EDT 2017


Thanks for the reports. We'll be modifying the signature.

In the interim, I've dropped the current signature.

On Fri, Apr 28, 2017 at 11:01 AM, Vladislav Kurz <vladislav.kurz at webstep.net
> wrote:

> I have the same problem, and already submitted a false positive report.
> In our case it was a signad pdf, so I suspect that the signature makes
> it FP. But I have no idea how to work around it now. Maybe disable pdf
> scanning?
>
> On 04/28/17 16:47, Giuseppe Ravasio wrote:
> > Hi,
> > since this morning daily signature update 23337
> > and even with the latest one 23338
> > my amavis flags some emails with PDF attachments as virus:
> > Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
> >
> > Checking the PDF with other AVs and even with clamscan (on the same
> > server) results in a clean file:
> >
> > beppe at thot:/tmp$ clamscan TCA.pdf
> > TCA.pdf: OK
> >
> > ----------- SCAN SUMMARY -----------
> > Known viruses: 6272759
> > Engine version: 0.99.2
> > Scanned directories: 0
> > Scanned files: 1
> > Infected files: 0
> > Data scanned: 0.22 MB
> > Data read: 0.08 MB (ratio 2.71:1)
> > Time: 17.277 sec (0 m 17 s)
> >
> > if I check the file with clamdscan I get the virus found:
> > beppe at thot:/tmp$ clamdscan TCA.pdf
> > /tmp/TCA.pdf: Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
> >
> > ----------- SCAN SUMMARY -----------
> > Infected files: 1
> > Time: 0.032 sec (0 m 0 s)
> >
> > Any hints on how to solve the problem?
> >
> > Thanks
> > Giuseppe
> > _______________________________________________
> > clamav-users mailing list
> > clamav-users at lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
>
>
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>



-- 
--
Christopher Marczewski
Research Engineer
Talos Group
cmarczewski at sourcefire.com
Phone: 443.832.2975


More information about the clamav-users mailing list