[clamav-users] Fwd: Unable to detect pdf virus (Not working in sharepoint)

P K pkopensrc at gmail.com
Tue Aug 18 10:48:27 EDT 2015


Hi Guys,

Again troubling you. Can you please let me know why its not working for
windows server. Do i need to enable any setting in ClamAv configuration?

I was trying same exploit.pdf virus file to upload in Windows server and
its not detected by ClamAv Antivirus.

*I tried with detect-pua also and it didn't worked for me*.

It works fine with curl and other software. *Maybe we have to handle
separately for windows server*.

Looks like its due to way windows servers work to upload file using
Boundary mechanism.

Below is output of virus file to clamav:

Content-Disposition: form-data; name="__EVENTVALIDATION"

/wEWBAK5276uAwLv4ZO6DgLmgPS1DQL374fcBaj9ZhJYdIZVwZS464ZHv7T3ou6w
-----------------------------21154944191352840482619583850
Content-Disposition: form-data; name="destination"





*/AnalyticsReports-----------------------------21154944191352840482619583850Content-Disposition:
form-data; name="ctl00$PlaceHolderMain$ctl01$ctl05$InputFile";
filename="exploit.pdf"Content-Type: application/force-download*
%PDF-1.1
1 0 obj
<< /Type /Catalog /Outlines 2 0 R /Pages 3 0 R /OpenAction 5 0 R >>
endobj
2 0 obj
<< /Type /Outlines /Count 0 >>
endobj
3 0 obj
<< /Type /Pages /Kids [4 0 R] /Count 1 >>
endobj
4 0 obj
<< /Type /Page /Parent 3 0 R /MediaBox [0 0 612 792] >>
endobj
5 0 obj
<< /Type /Action /S /JavaScript /JS (
  VIRUS DATA .....................
...........................................

        spray_heap();
        trigger_bug();

        ) >>
endobj
xref
0 6
0000000000 65535 f
0000000010 00000 n
0000000096 00000 n
0000000145 00000 n
0000000205 00000 n
0000000279 00000 n
trailer
<< /Size 6 /Root 1 0 R >>
startxref
1787
%%EOF
-----------------------------21154944191352840482619583850
Content-Disposition: form-data;
name="ctl00$PlaceHolderMain$ctl01$ctl05$OverwriteSingle"

on
-----------------------------21154944191352840482619583850
Content-Disposition: form-data; name="__spText1"


-----------------------------21154944191352840482619583850


On Thu, Jul 30, 2015 at 3:39 PM, P K <pkopensrc at gmail.com> wrote:

> thanks Shaun. I seen its pushed in latest update.
>
> Hope to learn more from you guys.
>
> On Wed, Jul 29, 2015 at 7:32 PM, Shaun Hurley <shahurle at sourcefire.com>
> wrote:
>
>> PK,
>>
>> Thank you for bringing this to our attention.
>>
>> I have created another signature that doesn't rely upon PUA being enabled.
>> As soon as the signature is done being tested for false positives we will
>> publish it.
>>
>> Thanks again,
>> Shaun Hurley
>> ClamAV Malware Team
>>
>> On Tue, Jul 28, 2015 at 10:54 AM, P K <pkopensrc at gmail.com> wrote:
>>
>> > worked properly after enabling PUA.
>> >
>> > Cheers,
>> > --PK
>> >
>> > On Tue, Jul 28, 2015 at 8:14 PM, Steve Basford <
>> > steveb_clamav at sanesecurity.com> wrote:
>> >
>> > >
>> > > On Tue, July 28, 2015 3:41 pm, P K wrote:
>> > > > So how to detect same in my clamAv?
>> > > >
>> > >
>> > > Until a proper sig is added, you could try
>> > >
>> > > clamscan  --detect-pua=yes
>> > >
>> > > Cheers,
>> > >
>> > > Steve
>> > > Web : sanesecurity.com
>> > > Blog: sanesecurity.blogspot.com
>> > >
>> > > _______________________________________________
>> > > Help us build a comprehensive ClamAV guide:
>> > > https://github.com/vrtadmin/clamav-faq
>> > >
>> > > http://www.clamav.net/contact.html#ml
>> > >
>> > _______________________________________________
>> > Help us build a comprehensive ClamAV guide:
>> > https://github.com/vrtadmin/clamav-faq
>> >
>> > http://www.clamav.net/contact.html#ml
>> >
>> _______________________________________________
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>



More information about the clamav-users mailing list