Hi Dan!

Thank you for bringing this to our attention. From a quick check of some of the samples alerting with this signature it does seem like it could be causing FPs. The signature will be dropped for now.

Best regards,

Lilia Gonzalez
Malware Research Team
Cisco Talos

On Fri, Sep 10, 2021 at 12:44 PM <eric-list@truenet.com> wrote:

Dan,

 

You can use sigtool:

#sigtool --find-sigs Pdf.Phishing.CWS4c384287-9890237-0 | sigtool --decode-sigs

 

Looks like a cmap definition so a definition of character sets to Unicode.

Could definitely be a false positive, send samples to https://www.clamav.net/reports/fp

 

Sincerely,

 

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300

 

From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of Dan Jaap via clamav-users
Sent: Friday, September 10, 2021 12:31 PM
To: clamav-users@lists.clamav.net
Cc: Dan Jaap <djaap@flclerks.com>
Subject: [clamav-users] Pdf.Phishing.CWS4c384287-9890237-0

 

Can someone explain what the classification “Pdf.Phishing.CWS4c384287-9890237-0” means?  I assume it has something to do with a link found in a document.  However, we’ve had several of these lately and I can’t see anything wrong with the documents.  We’re using clamav with OPSWAT Metadefender, integrated into a Web site.  Each document that is uploaded is scanned by the platform and clamav is the only engine finding problems with the documents in question.  I have already submitted a sample document as a false positive, but have not heard back yet.  I was hoping to get more info here as to what Pdf.Phishing.CWS4c384287-9890237-0” means.

 

Here are some details for our clamav environment:

VERSION

0.102.4-810

DATABASE VERSION

1631145600

DEFINITION UPDATES

Up to date (up to date )


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml