[clamav-users] PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1
Paul Kosinski
clamav-users at iment.com
Thu Mar 31 18:56:48 UTC 2016
I disable Javascript in our PDF viewer. PostScript (which underlies
PDF) is a Turing-complete executable language, and even has a mechanism
to read and write files, so it could cause some trouble on its own.
On Thu, 31 Mar 2016 10:36:18 -0500
Noel Jones <njones at megan.vbhcs.org> wrote:
> Known malware will still be detected, even if you ignore the
> troublesome PUA sigs.
>
> These aren't really false positives since the .pdf really does
> contain javascript. So the sigs are working as intended.
>
> The alternative is to communicate to your users that .pdf files
> containing javascript are not allowed in email. Unfortunately,
> *many* legit .pdf files contain javascript.
>
> This is more of a local policy decision than a tech decision.
>
>
> -- Noel Jones
>
>
>
> On 3/31/2016 9:25 AM, polloxx wrote:
> > That's known to me Steve.
> > I'm afraid malware will not be detected in that case.
> >
> > P.
> >
> > On Thu, Mar 31, 2016 at 3:43 PM, Steve Basford <
> > steveb_clamav at sanesecurity.com> wrote:
> >
> >>
> >> On Thu, March 31, 2016 2:33 pm, polloxx wrote:
> >>> Since the new Clamav database we have a lot more false positives
> >>> for PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1.
> >>> What can we do about this, except disabling PUA?
> >>
> >> Create a local.ign2 with the following lines:
> >>
> >> PUA.Pdf.Trojan.EmbeddedJS-1
> >> PUA.Win.Trojan.EmbeddedPDF-1
> >>
> >> Place in ClamAV database folder and restart clamd
> >>
> >> Cheers,
> >>
> >> Steve
> >> Web : sanesecurity.com
> >> Blog: sanesecurity.blogspot.com
> >> Twitter: @sanesecurity
> >>
> >> _______________________________________________
> >> Help us build a comprehensive ClamAV guide:
> >> https://github.com/vrtadmin/clamav-faq
> >>
> >> http://www.clamav.net/contact.html#ml
More information about the clamav-users
mailing list