[clamav-users] Fwd: Unable to detect pdf virus (Not working in sharepoint)

P K pkopensrc at gmail.com
Fri Sep 4 05:52:34 EDT 2015


Thanks steven. I uploaded both file.

I feel clamav should detect signature with any files irrespective of form
data by browser.

On Sat, Aug 22, 2015 at 12:13 AM, Steven Morgan <smorgan at sourcefire.com>
wrote:

> I've opened https://bugzilla.clamav.net/show_bug.cgi?id=11380. Please
> attach to this bugzilla ticket the original pdf file and the original
> multipart document.
>
> Thanks.
>
> On Tue, Aug 18, 2015 at 10:48 AM, P K <pkopensrc at gmail.com> wrote:
>
> > Hi Guys,
> >
> > Again troubling you. Can you please let me know why its not working for
> > windows server. Do i need to enable any setting in ClamAv configuration?
> >
> > I was trying same exploit.pdf virus file to upload in Windows server and
> > its not detected by ClamAv Antivirus.
> >
> > *I tried with detect-pua also and it didn't worked for me*.
> >
> > It works fine with curl and other software. *Maybe we have to handle
> > separately for windows server*.
> >
> > Looks like its due to way windows servers work to upload file using
> > Boundary mechanism.
> >
> > Below is output of virus file to clamav:
> >
> > Content-Disposition: form-data; name="__EVENTVALIDATION"
> >
> > /wEWBAK5276uAwLv4ZO6DgLmgPS1DQL374fcBaj9ZhJYdIZVwZS464ZHv7T3ou6w
> > -----------------------------21154944191352840482619583850
> > Content-Disposition: form-data; name="destination"
> >
> >
> >
> >
> >
> >
> >
> */AnalyticsReports-----------------------------21154944191352840482619583850Content-Disposition:
> > form-data; name="ctl00$PlaceHolderMain$ctl01$ctl05$InputFile";
> > filename="exploit.pdf"Content-Type: application/force-download*
> > %PDF-1.1
> > 1 0 obj
> > << /Type /Catalog /Outlines 2 0 R /Pages 3 0 R /OpenAction 5 0 R >>
> > endobj
> > 2 0 obj
> > << /Type /Outlines /Count 0 >>
> > endobj
> > 3 0 obj
> > << /Type /Pages /Kids [4 0 R] /Count 1 >>
> > endobj
> > 4 0 obj
> > << /Type /Page /Parent 3 0 R /MediaBox [0 0 612 792] >>
> > endobj
> > 5 0 obj
> > << /Type /Action /S /JavaScript /JS (
> >   VIRUS DATA .....................
> > ...........................................
> >
> >         spray_heap();
> >         trigger_bug();
> >
> >         ) >>
> > endobj
> > xref
> > 0 6
> > 0000000000 65535 f
> > 0000000010 00000 n
> > 0000000096 00000 n
> > 0000000145 00000 n
> > 0000000205 00000 n
> > 0000000279 00000 n
> > trailer
> > << /Size 6 /Root 1 0 R >>
> > startxref
> > 1787
> > %%EOF
> > -----------------------------21154944191352840482619583850
> > Content-Disposition: form-data;
> > name="ctl00$PlaceHolderMain$ctl01$ctl05$OverwriteSingle"
> >
> > on
> > -----------------------------21154944191352840482619583850
> > Content-Disposition: form-data; name="__spText1"
> >
> >
> > -----------------------------21154944191352840482619583850
> >
> >
> > On Thu, Jul 30, 2015 at 3:39 PM, P K <pkopensrc at gmail.com> wrote:
> >
> > > thanks Shaun. I seen its pushed in latest update.
> > >
> > > Hope to learn more from you guys.
> > >
> > > On Wed, Jul 29, 2015 at 7:32 PM, Shaun Hurley <shahurle at sourcefire.com
> >
> > > wrote:
> > >
> > >> PK,
> > >>
> > >> Thank you for bringing this to our attention.
> > >>
> > >> I have created another signature that doesn't rely upon PUA being
> > enabled.
> > >> As soon as the signature is done being tested for false positives we
> > will
> > >> publish it.
> > >>
> > >> Thanks again,
> > >> Shaun Hurley
> > >> ClamAV Malware Team
> > >>
> > >> On Tue, Jul 28, 2015 at 10:54 AM, P K <pkopensrc at gmail.com> wrote:
> > >>
> > >> > worked properly after enabling PUA.
> > >> >
> > >> > Cheers,
> > >> > --PK
> > >> >
> > >> > On Tue, Jul 28, 2015 at 8:14 PM, Steve Basford <
> > >> > steveb_clamav at sanesecurity.com> wrote:
> > >> >
> > >> > >
> > >> > > On Tue, July 28, 2015 3:41 pm, P K wrote:
> > >> > > > So how to detect same in my clamAv?
> > >> > > >
> > >> > >
> > >> > > Until a proper sig is added, you could try
> > >> > >
> > >> > > clamscan  --detect-pua=yes
> > >> > >
> > >> > > Cheers,
> > >> > >
> > >> > > Steve
> > >> > > Web : sanesecurity.com
> > >> > > Blog: sanesecurity.blogspot.com
> > >> > >
> > >> > > _______________________________________________
> > >> > > Help us build a comprehensive ClamAV guide:
> > >> > > https://github.com/vrtadmin/clamav-faq
> > >> > >
> > >> > > http://www.clamav.net/contact.html#ml
> > >> > >
> > >> > _______________________________________________
> > >> > Help us build a comprehensive ClamAV guide:
> > >> > https://github.com/vrtadmin/clamav-faq
> > >> >
> > >> > http://www.clamav.net/contact.html#ml
> > >> >
> > >> _______________________________________________
> > >> Help us build a comprehensive ClamAV guide:
> > >> https://github.com/vrtadmin/clamav-faq
> > >>
> > >> http://www.clamav.net/contact.html#ml
> > >>
> > >
> > >
> > _______________________________________________
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>



More information about the clamav-users mailing list