I used to be able to scan the database to determine when each signature was added, but that list has been eliminated so I can’t verify, but when an older file is suddenly identified as infected, my first thought is that this must be a new signature. Just because the vulnerability has been known since 2012 doesn’t mean that ClamAV has been able to detect it since then.
-Al- > On Jul 9, 2015, at 11:22 AM, Ingo Bente <[email protected]> wrote: > > The file has been subject to daily scanning since Mar 2015. According to > the mtime, the file has not been changed since. However, the positive > finding from ClamAV occurred just yesterday. That's why it seems to me that > this might be a false positive. > > Please let me know what you think. > > Cheers > Ingo > > On Thu, 9 Jul 2015 at 19:33 Al Varnell <[email protected]> wrote: > >> I’m not sure why you would consider a 2012 CVE to be an indicator of a >> false positive. Have you read the vulnerability description? >> <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0167> >> >> If that document contains an EMF image it could cause a heap-based buffer >> overflow in those older, unmatched versions of Microsoft Office. >> >> -Al- _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
