[clamav-users] Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd

Vladislav Kurz vladislav.kurz at webstep.net
Tue May 2 07:27:40 UTC 2017 

Hello,

did you really drop the signature?

During the weekend scan (clamscan), we got 45 false positives. According
to file names, they seem to be signed official PDF documents from goverment.

On 04/28/17 17:16, Christopher Marczewski wrote:
> Thanks for the reports. We'll be modifying the signature.
> 
> In the interim, I've dropped the current signature.
> 
> On Fri, Apr 28, 2017 at 11:01 AM, Vladislav Kurz <vladislav.kurz at webstep.net
>> wrote:
> 
>> I have the same problem, and already submitted a false positive report.
>> In our case it was a signad pdf, so I suspect that the signature makes
>> it FP. But I have no idea how to work around it now. Maybe disable pdf
>> scanning?
>>
>> On 04/28/17 16:47, Giuseppe Ravasio wrote:
>>> Hi,
>>> since this morning daily signature update 23337
>>> and even with the latest one 23338
>>> my amavis flags some emails with PDF attachments as virus:
>>> Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
>>>
>>> Checking the PDF with other AVs and even with clamscan (on the same
>>> server) results in a clean file:
>>>
>>> beppe at thot:/tmp$ clamscan TCA.pdf
>>> TCA.pdf: OK
>>>
>>> ----------- SCAN SUMMARY -----------
>>> Known viruses: 6272759
>>> Engine version: 0.99.2
>>> Scanned directories: 0
>>> Scanned files: 1
>>> Infected files: 0
>>> Data scanned: 0.22 MB
>>> Data read: 0.08 MB (ratio 2.71:1)
>>> Time: 17.277 sec (0 m 17 s)
>>>
>>> if I check the file with clamdscan I get the virus found:
>>> beppe at thot:/tmp$ clamdscan TCA.pdf
>>> /tmp/TCA.pdf: Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
>>>
>>> ----------- SCAN SUMMARY -----------
>>> Infected files: 1
>>> Time: 0.032 sec (0 m 0 s)
>>>
>>> Any hints on how to solve the problem?
>>>
>>> Thanks
>>> Giuseppe
>>> _______________________________________________
>>> clamav-users mailing list
>>> clamav-users at lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>>>
>>
>>
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users at lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
> 
> 
> 


-- 
S pozdravem
        Vladislav Kurz

Centrála: Celní 17/5, 63900 Brno, CZ
Web: http://www.webstep.net
E-Mail: podpora at webstep.net
Tel: 840 840 700, +420 548 214 711
Obchodní podmínky: https://zkrat.to/op

More information about the clamav-users mailing list