[clamav-users] Rogue definition Pdf.Exploit.CVE_2018_12798-6633682-0 causing a LOT of FP's
Groach
groachmail-stopspammingme at yahoo.com
Sun Aug 12 17:26:09 UTC 2018
I have a nightly scan. The last 2 nights report now looks like this
(extract):
D:\Datastore\hMailData\mydomain.net\4B\{4B794DE7-4DB0-4542-B8C3-BED2122A8238}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\F5\{F51B0223-3606-40D8-A5F1-2C3F2D0249CF}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\0C\{0C03ECFE-19C0-4434-BA5F-E2612171E6AB}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\15\{158D145C-A1E3-4657-A41C-AAD5E3E323AA}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\15\{15EDC37B-2D06-4BB9-B50D-E216B76D96F4}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\20\{2088EE70-E979-4300-A135-E6242F4F7BA1}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\22\{22BA0B38-024E-4468-BC6F-92E55CEFB998}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\41\{41E3410E-D480-4C07-A57D-7144D2739AC3}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\45\{4500489E-78C8-4384-B93E-B543412ADFCD}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\45\{453329F7-BFF1-4DC3-8179-88234963B759}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\47\{47D49FF6-8813-405F-85B3-27AFB674581F}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\4C\{4C84EAC1-248B-4767-9B45-D533194306C7}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\4D\{4D81A733-3A24-4269-A995-CE9F4B737BAE}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\55\{55ACC46A-B1FE-4E88-B9AF-E9BD3560BA1C}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\58\{58C08BD2-942F-44AC-8009-F4B8E9E507DF}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\5D\{5DE02DA0-C788-464F-86F4-BD2AE7374039}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\5E\{5E79E62C-B51D-45B9-BD36-F2BD995C955C}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\66\{668AF3A4-C4A6-4117-930A-2D4CA783DD3C}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\67\{676BEA97-6B38-4C2E-A28D-5F064CB6C5FD}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\69\{694A7DE9-D3F8-431F-96A1-172AF47BF6EE}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\70\{7033900E-77D8-4B4C-836D-525D3FF5545B}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\74\{74132DE5-FCBD-4449-B2B9-D8021159717A}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\75\{7521CE1F-1CAF-4AB8-8B5F-86AF4449DE2F}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\7B\{7BBA2F36-C61E-4AEF-A7CF-07E6B019D00F}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\82\{827DC0B5-1B14-456C-A406-152D6F8F94A1}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\88\{88ACDA82-D858-41E4-8A69-316B8755CDB2}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\99\{993349F4-55F3-44F3-9B01-7D70A099A3A4}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\99\{99DE3EDB-257F-4566-93D9-0546ABC8896E}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\9F\{9FD20130-3017-49D2-9B12-346ABD05AF3A}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\A8\{A8FC3422-301B-4B0E-BA18-F9D001B503F7}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\B1\{B12F9462-74D7-4C67-A2C8-D95CD3E8EA32}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\B3\{B3501441-B1D1-4B48-AF3E-62502FFE7CCE}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\C0\{C08A1A27-6443-422E-BCEA-5F38D1E24415}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\C1\{C138E0D4-0297-4614-8D6B-5D71858BB364}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\C9\{C95918CF-B85D-48A8-A6B5-3E13CE47694E}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\CB\{CB36A9B1-61CE-48BC-BC36-8BB6674816D5}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\D7\{D72F3B46-2EF9-4500-84E0-23E5E5BCD913}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\D9\{D91AEF21-287E-4239-96C1-0436450F14B1}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\E8\{E8A418A7-AF0E-4058-A26F-D6A47D2E33C8}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\E8\{E8ADD2F5-82C0-4E66-B83C-CA4B6E1B260F}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\EB\{EBF38EA3-F451-4D37-A744-CA835BEBB7CF}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\ED\{ED4ECB6B-521E-40E9-B522-04CC884FF01B}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\EE\{EEBD0A9F-8706-416C-9B21-FAC8ED698DB5}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\EE\{EEF2744C-4A15-4DF9-AA8A-6BA777C218D0}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\FA\{FAFEE228-E7EB-4EE4-8E29-ABBCB1975B0D}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
D:\Datastore\hMailData\mydomain.net\FC\{FC93325E-6A19-4ABC-A151-0D14E4754709}.eml:
Pdf.Exploit.CVE_2018_12798-6633682-0 FOUND
.
.
.
.
etc and so on.
A LOT. These are all emails (the email store of our mail server) that
contain PDF attachments and are all genuine PDF's (historical and recent
- some over 3 years old). I am not uploading any of them to the 'false
positive' report page as they containing private confidential
information (eg, plans and financial information) from professional
reputable companies.
Can I ask that this particular definition is pulled or at least reviewed
please.
Thank you
(Good job I now only run in report mode and not delete mode due to
previous bad experience with Clamav definitions otherwise our company
would have lost all of these emails which, apart from anything else,
would have broken some retention policy and laws we have to adhere to).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20180812/bc94277e/attachment.htm>
More information about the clamav-users
mailing list