PUA.PDF.EmbeddedJS and PUA.PDF.EmbeddedJavaScript has been dropped and has been replaced with the signatures below:
PUA.Script.PDF.EmbeddedJavaScript PUA.Script.PDF.EmbeddedJS Thanks, -Alain On Sun, Apr 24, 2011 at 8:30 AM, Steven Chamberlain <[email protected]> wrote: > On -10/01/37 20:59, Johannes Schulz wrote: >> "sigtool -fPUA.PDF.OpenActionObject|sigtool --decode-sigs" says: >> VIRUS NAME: PUA.PDF.OpenActionObject >> TARGET TYPE: ANY FILE >> OFFSET: 0 >> DECODED SIGNATURE: >> %PDF-{WILDCARD_ANY_STRING}obj{WILDCARD_ANY_STRING(LENGTH<=2)}<<{WILDCARD_ANY_STRING}/OpenAction > > Hi, > > As of today a bunch of old PDFs on my system were also flagged with > this. They had been composed in OpenOffice.org Writer and contained: > >> /OpenAction[1 0 R /XYZ null null 0] > > > Also due to the same update (daily 13008) I had a ~1MiB PDF document > made by ImageMagick flagged by: > >> VIRUS NAME: PUA.PDF.EmbeddedJS >> TARGET TYPE: ANY FILE >> OFFSET: 0 >> DECODED SIGNATURE: >> %PDF-{WILDCARD_ANY_STRING}obj{WILDCARD_ANY_STRING(LENGTH<=2)}<<{WILDCARD_ANY_STRING}/JS > > ...because halfway through the file, inside some image data, were the > characters "/JS". > > Surely this is going to cause many false detections? Like maybe 1 in 16 > out of all PDFs over 1MiB. > > Regards, > -- > Steven Chamberlain > [email protected] > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
