Re: [clamav-users] PUA.PDF.OpenActionObject too broad

[Steven Chamberlain]

On -10/01/37 20:59, Johannes Schulz wrote:
> "sigtool -fPUA.PDF.OpenActionObject|sigtool --decode-sigs" says:
> VIRUS NAME: PUA.PDF.OpenActionObject
> TARGET TYPE: ANY FILE
> OFFSET: 0
> DECODED SIGNATURE:
> %PDF-{WILDCARD_ANY_STRING}obj{WILDCARD_ANY_STRING(LENGTH<=2)}<<{WILDCARD_ANY_STRING}/OpenAction

Hi,

As of today a bunch of old PDFs on my system were also flagged with
this.  They had been composed in OpenOffice.org Writer and contained:

> /OpenAction[1 0 R /XYZ null null 0]


Also due to the same update (daily 13008) I had a ~1MiB PDF document
made by ImageMagick flagged by:

> VIRUS NAME: PUA.PDF.EmbeddedJS
> TARGET TYPE: ANY FILE
> OFFSET: 0
> DECODED SIGNATURE:
> %PDF-{WILDCARD_ANY_STRING}obj{WILDCARD_ANY_STRING(LENGTH<=2)}<<{WILDCARD_ANY_STRING}/JS

...because halfway through the file, inside some image data, were the
characters "/JS".

Surely this is going to cause many false detections?  Like maybe 1 in 16
out of all PDFs over 1MiB.

Regards,
-- 
Steven Chamberlain
ste...@pyro.eu.org
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml