[clamav-users] Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd
Al Varnell
alvarnell at mac.com
Tue May 2 07:46:24 UTC 2017
I see there is an rewrite in daily 23349 that just posted:
> VIRUS NAME: Pdf.Exploit.CVE_2017_3039-6300177-2
> TDB: Engine:81-255,Target:10
> LOGICAL EXPRESSION: 0&1&2=0
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> /Adobe.PPKLite/Location{WILDCARD_ANY_STRING(LENGTH<=290)}/SubFilter
> * SUBSIG ID 1
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> /Sig
> * SUBSIG ID 2
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> +-> TRIGGER: 0&1
> +-> REGEX: \x2fSubFilter(.{0,50})\x2fadbe\x2e(.{1,20})\x2fType\s*\x2fSig
> +-> CFLAGS: sm
-Al-
On Tue, May 02, 2017 at 12:38 AM, Al Varnell wrote:
>
> It never appeared on a daily as being dropped, but when I checked on Saturday and again just now, I can't find it:
>
>> $ sigtool --find Pdf.Exploit.CVE_2017_3039-6300177-0
>> $
>
> I don't think it is related, but there was an issue with DNS that stopped all updates after 23343 late Saturday until mid morning Monday Pacific Time.
>
> -Al-
>
> On Tue, May 02, 2017 at 12:27 AM, Vladislav Kurz wrote:
>>
>> Hello,
>>
>> did you really drop the signature?
>>
>> During the weekend scan (clamscan), we got 45 false positives. According
>> to file names, they seem to be signed official PDF documents from goverment.
>>
>> On 04/28/17 17:16, Christopher Marczewski wrote:
>>> Thanks for the reports. We'll be modifying the signature.
>>>
>>> In the interim, I've dropped the current signature.
>>>
>>> On Fri, Apr 28, 2017 at 11:01 AM, Vladislav Kurz <vladislav.kurz at webstep.net
>>>> wrote:
>>>
>>>> I have the same problem, and already submitted a false positive report.
>>>> In our case it was a signad pdf, so I suspect that the signature makes
>>>> it FP. But I have no idea how to work around it now. Maybe disable pdf
>>>> scanning?
>>>>
>>>> On 04/28/17 16:47, Giuseppe Ravasio wrote:
>>>>> Hi,
>>>>> since this morning daily signature update 23337
>>>>> and even with the latest one 23338
>>>>> my amavis flags some emails with PDF attachments as virus:
>>>>> Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
>>>>>
>>>>> Checking the PDF with other AVs and even with clamscan (on the same
>>>>> server) results in a clean file:
>>>>>
>>>>> beppe at thot:/tmp$ clamscan TCA.pdf
>>>>> TCA.pdf: OK
>>>>>
>>>>> ----------- SCAN SUMMARY -----------
>>>>> Known viruses: 6272759
>>>>> Engine version: 0.99.2
>>>>> Scanned directories: 0
>>>>> Scanned files: 1
>>>>> Infected files: 0
>>>>> Data scanned: 0.22 MB
>>>>> Data read: 0.08 MB (ratio 2.71:1)
>>>>> Time: 17.277 sec (0 m 17 s)
>>>>>
>>>>> if I check the file with clamdscan I get the virus found:
>>>>> beppe at thot:/tmp$ clamdscan TCA.pdf
>>>>> /tmp/TCA.pdf: Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
>>>>>
>>>>> ----------- SCAN SUMMARY -----------
>>>>> Infected files: 1
>>>>> Time: 0.032 sec (0 m 0 s)
>>>>>
>>>>> Any hints on how to solve the problem?
>>>>>
>>>>> Thanks
>>>>> Giuseppe
>>>>> _______________________________________________
>>>>> clamav-users mailing list
>>>>> clamav-users at lists.clamav.net
>>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>>>>
>>>>>
>>>>> Help us build a comprehensive ClamAV guide:
>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>
>>>>> http://www.clamav.net/contact.html#ml
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> clamav-users mailing list
>>>> clamav-users at lists.clamav.net
>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>>>
>>>>
>>>> Help us build a comprehensive ClamAV guide:
>>>> https://github.com/vrtadmin/clamav-faq
>>>>
>>>> http://www.clamav.net/contact.html#ml
>
> -Al-
-Al-
--
Al Varnell
Mountain View, CA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3569 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20170502/11ca7d8c/attachment.bin>
More information about the clamav-users
mailing list