Same problem here. Almost all messages that include PDF attachments are
triggering this false positive (we have more than 3 million accounts
with thousands of line of clamd logs like this).....
Would be possible to remove this signature (or replace it with one with
narrow regexp ?)
Regards,
Claudio Cuqui
On 04/24/2011 09:30 AM, Steven Chamberlain wrote:
On -10/01/37 20:59, Johannes Schulz wrote:
"sigtool -fPUA.PDF.OpenActionObject|sigtool --decode-sigs" says:
VIRUS NAME: PUA.PDF.OpenActionObject
TARGET TYPE: ANY FILE
OFFSET: 0
DECODED SIGNATURE:
%PDF-{WILDCARD_ANY_STRING}obj{WILDCARD_ANY_STRING(LENGTH<=2)}<<{WILDCARD_ANY_STRING}/OpenAction
Hi,
As of today a bunch of old PDFs on my system were also flagged with
this. They had been composed in OpenOffice.org Writer and contained:
/OpenAction[1 0 R /XYZ null null 0]
Also due to the same update (daily 13008) I had a ~1MiB PDF document
made by ImageMagick flagged by:
VIRUS NAME: PUA.PDF.EmbeddedJS
TARGET TYPE: ANY FILE
OFFSET: 0
DECODED SIGNATURE:
%PDF-{WILDCARD_ANY_STRING}obj{WILDCARD_ANY_STRING(LENGTH<=2)}<<{WILDCARD_ANY_STRING}/JS
...because halfway through the file, inside some image data, were the
characters "/JS".
Surely this is going to cause many false detections? Like maybe 1 in 16
out of all PDFs over 1MiB.
Regards,
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
