[clamav-users] Fwd: Unable to detect pdf virus

Joel Esler (jesler) jesler at cisco.com
Tue Jul 28 11:44:00 UTC 2015 

Can you provide us with the hash for the file?

--
Joel Esler
Manager, Threat Intelligence and Open Source
Talos Group
Sent from my iPhone

On Jul 28, 2015, at 7:43 AM, P K <pkopensrc at gmail.com<mailto:pkopensrc at gmail.com>> wrote:

Sure. I uploaded same. I wanted someone else to try to make sure its issue
with clamav.

Can you point me any other real virus(except eicar) to try to make sure my
clamAv working properly.

I want to try clamav by sending real virus file.

Thanks
--Pk
---------- Forwarded message ----------
From: Alain Zidouemba <azidouemba at sourcefire.com<mailto:azidouemba at sourcefire.com>>
Date: Tue, Jul 28, 2015 at 5:07 PM
Subject: Re: [clamav-users] Unable to detect pdf virus
To: ClamAV users ML <clamav-users at lists.clamav.net<mailto:clamav-users at lists.clamav.net>>


So that the signature get updated, if necessary. Either your sample is
actually attempting to exploit CVE-2009-4324 and it's evading detecting
through our current signature (Exploit.PDF.CVE_2009_4324), our your sample
isn't attempting exploit CVE-2009-4324. Either way, your sample would be
helpful in order to determine that.

Thanks,

- Alain

On Tue, Jul 28, 2015 at 11:32 AM, P K <pkopensrc at gmail.com<mailto:pkopensrc at gmail.com>> wrote:

Sure. I will submit but as per clamav Database this signature is already
in
database.

Why we should submit sample again?



On Tue, Jul 28, 2015 at 4:58 PM, Alain Zidouemba <
azidouemba at sourcefire.com<mailto:azidouemba at sourcefire.com>>
wrote:

Yes, please do so. Submit your sample here:
http://www.clamav.net/report/report-malware.html and provide the MD5 or
SHA256 of the sample you submitted as a reply to this email.

Thanks,

- Alain

On Tue, Jul 28, 2015 at 11:01 AM, Al Varnell <alvarnell at mac.com<mailto:alvarnell at mac.com>> wrote:

It does not match the signature for Exploit.PDF.CVE_2009_4324.

It’s looking for a two part signature:

In your document there are spaces in the string "/S /JavaScript /JS”
which
are not in the signature.

Your document contains the string "media.newPlayer(null)” whereas the
signature is looking for “this.” in front of it.

Submit your document for possible addition of new or revised
signature.


-Al-



On Tue, Jul 28, 2015 at 03:01 AM, P K wrote:

Hi Guys,

Still waiting for an answer.

On Thu, Jul 23, 2015 at 8:21 PM, P K <pkopensrc at gmail.com<mailto:pkopensrc at gmail.com>> wrote:

Hi Guys,

I am testing clamav in my local system to detect POST data's from
network.
I am newbie in ClamAv and want to test with real time signatures.

I tested with Eicher Test Signature and it works fine.

*But ClamAv is unable to detect CVE-2009-4324 with pdf.*

I see signature is present in daily.cld and if extracted its
present
in
daily.ldb.
Gmail able to detect same pdf as virus.

Any help on what wrong in my ClamAv system and to fix it.

$ clamscan ~/anti/eicar.com.txt
*/home/pk/anti/eicar.com.txt: Eicar-Test-Signature FOUND*

----------- SCAN SUMMARY -----------
Known viruses: 3898123
Engine version: 0.98.6
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 6.480 sec (0 m 6 s)    <--------------- took 6sec to detect
normal
virus

$ clamscan ~/anti_new/virus/exploit.pdf

*/home/pk/anti_new/virus/exploit.pdf: OK*
----------- SCAN SUMMARY -----------
Known viruses: 3898123
Engine version: 0.98.6
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.00 MB
Data read: 0.00 MB (ratio 0.00:1)
Time: 8.100 sec (0 m 8 s)

I generated above virus using this link -
http://www.decalage.info/exefilter_pdf_exploits

I really want to learn ClamAv virus detection and try to enhance
it.

Thanks
--PK
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

More information about the clamav-users mailing list