[clamav-users] Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd

Christopher Marczewski cmarczewski at sourcefire.com
Tue May 2 14:25:58 UTC 2017 

I do see a few alerts for Pdf.Exploit.CVE_2017_3039-6300177-2 on
VirusTotal, too.

We'll be dropping the signature again & examining further.

On Tue, May 2, 2017 at 8:24 AM, Giuseppe Ravasio <
giuseppe_ravasio at ch.modiano.com> wrote:

> Hi,
>
> I'm now getting some other signed pdf matched by
> Pdf.Exploit.CVE_2017_3039-6300177-2
>
> As with the Pdf.Exploit.CVE_2017_3039-6300177-0 it only happens using
> the daemon and not clamscan.
>
> Regards
> Giuseppe
>
> Il 02/05/2017 09:46, Al Varnell ha scritto:
> > I see there is an rewrite in daily 23349 that just posted:
> >
> >> VIRUS NAME: Pdf.Exploit.CVE_2017_3039-6300177-2
> >> TDB: Engine:81-255,Target:10
> >> LOGICAL EXPRESSION: 0&1&2=0
> >>  * SUBSIG ID 0
> >>  +-> OFFSET: ANY
> >>  +-> SIGMOD: NONE
> >>  +-> DECODED SUBSIGNATURE:
> >> /Adobe.PPKLite/Location{WILDCARD_ANY_STRING(LENGTH<=290)}/SubFilter
> >>  * SUBSIG ID 1
> >>  +-> OFFSET: ANY
> >>  +-> SIGMOD: NONE
> >>  +-> DECODED SUBSIGNATURE:
> >> /Sig
> >>  * SUBSIG ID 2
> >>  +-> OFFSET: ANY
> >>  +-> SIGMOD: NONE
> >>  +-> DECODED SUBSIGNATURE:
> >>      +-> TRIGGER: 0&1
> >>      +-> REGEX: \x2fSubFilter(.{0,50})\x2fadbe\x2e(.{1,20})\x2fType\
> s*\x2fSig
> >>      +-> CFLAGS: sm
> >
> > -Al-
> >
> > On Tue, May 02, 2017 at 12:38 AM, Al Varnell wrote:
> >>
> >> It never appeared on a daily as being dropped, but when I checked on
> Saturday and again just now, I can't find it:
> >>
> >>> $ sigtool --find Pdf.Exploit.CVE_2017_3039-6300177-0
> >>> $
> >>
> >> I don't think it is related, but there was an issue with DNS that
> stopped all updates after 23343 late Saturday until mid morning Monday
> Pacific Time.
> >>
> >> -Al-
> >>
> >> On Tue, May 02, 2017 at 12:27 AM, Vladislav Kurz wrote:
> >>>
> >>> Hello,
> >>>
> >>> did you really drop the signature?
> >>>
> >>> During the weekend scan (clamscan), we got 45 false positives.
> According
> >>> to file names, they seem to be signed official PDF documents from
> goverment.
> >>>
> >>> On 04/28/17 17:16, Christopher Marczewski wrote:
> >>>> Thanks for the reports. We'll be modifying the signature.
> >>>>
> >>>> In the interim, I've dropped the current signature.
> >>>>
> >>>> On Fri, Apr 28, 2017 at 11:01 AM, Vladislav Kurz <
> vladislav.kurz at webstep.net
> >>>>> wrote:
> >>>>
> >>>>> I have the same problem, and already submitted a false positive
> report.
> >>>>> In our case it was a signad pdf, so I suspect that the signature
> makes
> >>>>> it FP. But I have no idea how to work around it now. Maybe disable
> pdf
> >>>>> scanning?
> >>>>>
> >>>>> On 04/28/17 16:47, Giuseppe Ravasio wrote:
> >>>>>> Hi,
> >>>>>> since this morning daily signature update 23337
> >>>>>> and even with the latest one 23338
> >>>>>> my amavis flags some emails with PDF attachments as virus:
> >>>>>> Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
> >>>>>>
> >>>>>> Checking the PDF with other AVs and even with clamscan (on the same
> >>>>>> server) results in a clean file:
> >>>>>>
> >>>>>> beppe at thot:/tmp$ clamscan TCA.pdf
> >>>>>> TCA.pdf: OK
> >>>>>>
> >>>>>> ----------- SCAN SUMMARY -----------
> >>>>>> Known viruses: 6272759
> >>>>>> Engine version: 0.99.2
> >>>>>> Scanned directories: 0
> >>>>>> Scanned files: 1
> >>>>>> Infected files: 0
> >>>>>> Data scanned: 0.22 MB
> >>>>>> Data read: 0.08 MB (ratio 2.71:1)
> >>>>>> Time: 17.277 sec (0 m 17 s)
> >>>>>>
> >>>>>> if I check the file with clamdscan I get the virus found:
> >>>>>> beppe at thot:/tmp$ clamdscan TCA.pdf
> >>>>>> /tmp/TCA.pdf: Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
> >>>>>>
> >>>>>> ----------- SCAN SUMMARY -----------
> >>>>>> Infected files: 1
> >>>>>> Time: 0.032 sec (0 m 0 s)
> >>>>>>
> >>>>>> Any hints on how to solve the problem?
> >>>>>>
> >>>>>> Thanks
> >>>>>> Giuseppe
> >>>>>> _______________________________________________
> >>>>>> clamav-users mailing list
> >>>>>> clamav-users at lists.clamav.net
> >>>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >>>>>>
> >>>>>>
> >>>>>> Help us build a comprehensive ClamAV guide:
> >>>>>> https://github.com/vrtadmin/clamav-faq
> >>>>>>
> >>>>>> http://www.clamav.net/contact.html#ml
> >>>>>>
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> clamav-users mailing list
> >>>>> clamav-users at lists.clamav.net
> >>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >>>>>
> >>>>>
> >>>>> Help us build a comprehensive ClamAV guide:
> >>>>> https://github.com/vrtadmin/clamav-faq
> >>>>>
> >>>>> http://www.clamav.net/contact.html#ml
> >>
> >> -Al-
> >
> > -Al-
> >
> >
> >
> > _______________________________________________
> > clamav-users mailing list
> > clamav-users at lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>



-- 
--
Christopher Marczewski
Research Engineer
Talos Group
cmarczewski at sourcefire.com
Phone: 443.832.2975

More information about the clamav-users mailing list