[clamav-users] Unable to detect pdf virus

Joel Esler (jesler) jesler at cisco.com
Tue Jul 28 10:46:10 UTC 2015 

So you generated a brand new malicious pdf? (Trying to understand what the question is) Did you submit said malicious pdf to us?  Perhaps you could write your own detection and submit it to us via the community signature program?

--
Joel Esler
Manager, Threat Intelligence and Open Source
Talos Group
Sent from my iPhone

On Jul 28, 2015, at 6:01 AM, P K <pkopensrc at gmail.com<mailto:pkopensrc at gmail.com>> wrote:

Hi Guys,

Still waiting for an answer.

On Thu, Jul 23, 2015 at 8:21 PM, P K <pkopensrc at gmail.com<mailto:pkopensrc at gmail.com>> wrote:

Hi Guys,

I am testing clamav in my local system to detect POST data's from network.
I am newbie in ClamAv and want to test with real time signatures.

I tested with Eicher Test Signature and it works fine.

*But ClamAv is unable to detect CVE-2009-4324 with pdf.*

I see signature is present in daily.cld and if extracted its present in
daily.ldb.
Gmail able to detect same pdf as virus.

Any help on what wrong in my ClamAv system and to fix it.

$ clamscan ~/anti/eicar.com.txt
*/home/pk/anti/eicar.com.txt: Eicar-Test-Signature FOUND*

----------- SCAN SUMMARY -----------
Known viruses: 3898123
Engine version: 0.98.6
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 6.480 sec (0 m 6 s)    <--------------- took 6sec to detect normal
virus

$ clamscan ~/anti_new/virus/exploit.pdf

*/home/pk/anti_new/virus/exploit.pdf: OK*
----------- SCAN SUMMARY -----------
Known viruses: 3898123
Engine version: 0.98.6
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 8.100 sec (0 m 8 s)

I generated above virus using this link -
http://www.decalage.info/exefilter_pdf_exploits

I really want to learn ClamAv virus detection and try to enhance it.

Thanks
--PK


_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

More information about the clamav-users mailing list