[Community-sigs] CVE-2014-0503

Leonardo Tancredi leotancredi at gmail.com
Wed Jul 15 13:45:07 EDT 2015


Hello,

I would like some feedback on two issues regarding the signature for
CVE-2014-0503:

   1. Why is it classified as PUA (PUA.HTML.Exploit.CVE_2014_0503) when
   this is a vulnerability and the signature's name says it detects its
   "exploit"? I think there's nothing "potentially" unwanted about exploits,
   they're pretty much as unwanted as a virus or trojan; they can be useful
   for security specialists but not for most people . Furthermore, there's no
   mention of PUA.HTML in the PUA Documentation Page
   <http://www.clamav.net/doc/pua.html>.
   2. The signature for CVE-2014-0503 is:

    PUA.HTML.Exploit.CVE_2014_0503:3:*:3c656d626564{-50}7372633d{-50}3030{-50}2e737766
   which amounts to a regular expression like:
      <embed.{0,50}src=.{0,50}00.{0,50}\.swf
   which matches completely innocent web pages containing strings like this
   one:
     <embed src="somepath/somename150x100.swf"
   I saw that false positives in PUA signatures are not welcome at the old
   contact form (http://cgi.clamav.net/sendvirus.cgi). I reported this on
   July 7 2015 through http://www.clamav.net/report/fp which has no such
   restriction, with concrete examples of this problem happening in real
   pages, but got no answer.

For cases like this one, in which there are a lot of false positives, there
should be some way for the clamav user to disable specific signatures
without having to disable the whole PUA collection and without having to
edit the signatures file (if that is even possible, idk).

Thanks.


LT


More information about the Community-sigs mailing list