A ClamXav user asked if the detection of the Exploit.PDF.Gen in a couple of his files was a False Positive. One of the files was the clamav 0.96.2 engine installer that comes with the previous version of ClamXav. The other was found in an admin php file in his MAMP installation (tcpdf.php).
I pulled out my copy of the old installer and confirmed the finding. Here's an extract of the log from yesterday's cdiff update: > Author: Robert Scroggins > Date: 2010-11-07 17:40 -800 > To: clamav-virusdb > Subject: [clamav-virusdb] Update (daily: 12214) > ClamAV database updated (07 Nov 2010 20-39 -0500): daily.cvd > Version: 12214 > ... > Submission-ID: 18136333 > Sender: Virus Total > Sender: Henry Hertz Hobbit > Sender: ShadowServer > Sender: Ken Dunham > Added: Exploit.PDF.Gen > Virus name alias: Exploit.JS.Pdfka.cuk (Kaspersky) The ASCII signature it's looking for is: > %PDF-????f?67&???/JavaScript????f?67&??? Kind of a sneaky way to get folks to update there software ;-) -Al- -- Al Varnell Mountain View, CA _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
