Thanks. I've just found another one too BC.Img.Exploit.CVE_2017_11255-6335669-1
It's triggering on a file that's been part of macOS for many years. It's also a tiff file. I can submit this as well if necessary? Out of interest, is the type detection mismatch something that can be fixed in daily.cvd or can I patch libclamav/filetypes_int.h to revert it to what it was at 0.103.0? Mark > On 12 Feb 2021, at 5:23 am, Micah Snyder (micasnyd) <micas...@cisco.com> > wrote: > > It appears to me to be an issue with the signature which is only evident in > 0.103.1 now that we're matching TIFFs with Target:5 signatures, like this > one. > > There was apparently a mismatch for TIFF file type detection between the file > type magic signatures built-in to libclamav (libclamav/filetypes_int.h) and > the .ftm sigs shipped with daily.cvd (which override the internal ones when > loaded). > > I'll ask to have the signature dropped and re-evaluated. > > -Micah > >> -----Original Message----- >> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On Behalf Of >> Micah Snyder (micasnyd) >> Sent: Thursday, February 11, 2021 8:27 PM >> To: ClamAV Development <clamav-devel@lists.clamav.net> >> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1 >> >> Thank you Mark! We'll take a look. >> >> -Micah >> >>> -----Original Message----- >>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On Behalf >>> Of Mark Allan >>> Sent: Thursday, February 11, 2021 3:54 PM >>> To: ClamAV Development <clamav-devel@lists.clamav.net> >>> Subject: Re: [Clamav-devel] Issue with FP only on 0.103.1 >>> >>> Hi Micah, >>> >>> Yes of course! I've just uploaded a zip file (Archive.zip) to the FP >>> page on clamav.net >>> MD5 (Archive.zip) = 45229d954a884a1e03aba15b9f42168a >>> >>> Regards >>> Mark >>> >>>> On 11 Feb 2021, at 7:12 pm, Micah Snyder (micasnyd) >>> <micas...@cisco.com> wrote: >>>> >>>> Hi Mark, >>>> >>>> Do you think you could share a sample or two with me to test. I'm >>>> really >>> curious what changed and would like to debug each version with a >>> sample or two. >>>> >>>> -Micah >>>> >>>>> -----Original Message----- >>>>> From: clamav-devel <clamav-devel-boun...@lists.clamav.net> On >>>>> Behalf Of Mark Allan >>>>> Sent: Monday, February 8, 2021 3:04 AM >>>>> To: ClamAV Development <clamav-devel@lists.clamav.net> >>>>> Subject: [Clamav-devel] Issue with FP only on 0.103.1 >>>>> >>>>> Hi all, >>>>> >>>>> It looks like the additional image file type support in 0.103.1 has >>>>> introduced an issue with a particular signature which has been in >>>>> the database since 2018 >>>>> >>>>> Img.Exploit.CVE_2018_4904-6449838-0 >>>>> >>>>> It's flagging up thousands of known-good files. As far as I can >>>>> tell, they're all TIFF files. >>>>> >>>>> I've added that signature to an ign2 file for now, but I'm >>>>> wondering if there's something else that's maybe amiss somewhere >>>>> either with the signature or the 0.103.1 update? >>>>> >>>>> Best regards, >>>>> Mark >>>>> >>>>> _______________________________________________ >>>>> >>>>> clamav-devel mailing list >>>>> clamav-devel@lists.clamav.net >>>>> https://lists.clamav.net/mailman/listinfo/clamav-devel >>>>> >>>>> Please submit your patches to our Github: https://github.com/Cisco- >>>>> Talos/clamav-devel/pulls >>>>> >>>>> Help us build a comprehensive ClamAV guide: >>>>> https://github.com/vrtadmin/clamav-faq >>>>> >>>>> http://www.clamav.net/contact.html#ml >>>> _______________________________________________ >>>> >>>> clamav-devel mailing list >>>> clamav-devel@lists.clamav.net >>>> https://lists.clamav.net/mailman/listinfo/clamav-devel >>>> >>>> Please submit your patches to our Github: >>>> https://github.com/Cisco-Talos/clamav-devel/pulls >>>> >>>> Help us build a comprehensive ClamAV guide: >>>> https://github.com/vrtadmin/clamav-faq >>>> >>>> http://www.clamav.net/contact.html#ml >>> >>> _______________________________________________ >>> >>> clamav-devel mailing list >>> clamav-devel@lists.clamav.net >>> https://lists.clamav.net/mailman/listinfo/clamav-devel >>> >>> Please submit your patches to our Github: https://github.com/Cisco- >>> Talos/clamav-devel/pulls >>> >>> Help us build a comprehensive ClamAV guide: >>> https://github.com/vrtadmin/clamav-faq >>> >>> http://www.clamav.net/contact.html#ml >> _______________________________________________ >> >> clamav-devel mailing list >> clamav-devel@lists.clamav.net >> https://lists.clamav.net/mailman/listinfo/clamav-devel >> >> Please submit your patches to our Github: https://github.com/Cisco- >> Talos/clamav-devel/pulls >> >> Help us build a comprehensive ClamAV guide: >> https://github.com/vrtadmin/clamav-faq >> >> http://www.clamav.net/contact.html#ml > _______________________________________________ > > clamav-devel mailing list > clamav-devel@lists.clamav.net > https://lists.clamav.net/mailman/listinfo/clamav-devel > > Please submit your patches to our Github: > https://github.com/Cisco-Talos/clamav-devel/pulls > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml _______________________________________________ clamav-devel mailing list clamav-devel@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-devel Please submit your patches to our Github: https://github.com/Cisco-Talos/clamav-devel/pulls Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml