On Tue, 7 Sep 2010 17:34:15 -0400 Jason Parsons <[email protected]> wrote:
> [r...@c1-delltest2 temp]# egrep ':54$' daily.* > daily.ftm:1:*:255044462d??2e*737461727478726566*2525454f46:PDF:CL_TYPE_ANY:CL_TYPE_PDF:54:54 > daily.ftm:1:*:257064662d??2e*737461727478726566*2525454f46:PDF:CL_TYPE_ANY:CL_TYPE_PDF:54:54 > daily.ftm:1:0:255044462d*737461727478726566*2525454f46:PDF > document:CL_TYPE_ANY:CL_TYPE_PDF:54:54 > > [r...@c1-delltest2 temp]# egrep ':55$' daily.* > daily.ftm:0:0:255044462d:PDF document:CL_TYPE_ANY:CL_TYPE_PDF:55 > daily.ftm:1:*:255044462d??2e:PDF:CL_TYPE_ANY:CL_TYPE_PDF:55 > daily.ftm:1:*:257064662d??2e:PDF:CL_TYPE_ANY:CL_TYPE_PDF:55 > > I believe this is causing PDF files to not be parsed by clamav: > > LibClamAV debug: cli_loadftm: File type signature for PDF document > not loaded (required f-level: 55) LibClamAV debug: cli_loadftm: File > type signature for PDF not loaded (required f-level: 55) LibClamAV > debug: cli_loadftm: File type signature for PDF not loaded (required > f-level: 55) There are 3 signatures for PDF, one for 0:53, one for 54:54, and one for 55+. Each ClamAV version loads appropriate one. Unfortunately due to a bug in 0.96.2 the 54:54 signature doesn't work properly. Should be fixed in bytecode.cvd version 41, it'll report malware detected inside PDF as BC.PDF.Parser.MalwareFound. In 0.96.3 the name will be fixed. Please report if you encounter any other problems with it. Best regards, --Edwin _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
