I do see a few alerts for Pdf.Exploit.CVE_2017_3039-6300177-2 on VirusTotal, too.
We'll be dropping the signature again & examining further. On Tue, May 2, 2017 at 8:24 AM, Giuseppe Ravasio < [email protected]> wrote: > Hi, > > I'm now getting some other signed pdf matched by > Pdf.Exploit.CVE_2017_3039-6300177-2 > > As with the Pdf.Exploit.CVE_2017_3039-6300177-0 it only happens using > the daemon and not clamscan. > > Regards > Giuseppe > > Il 02/05/2017 09:46, Al Varnell ha scritto: > > I see there is an rewrite in daily 23349 that just posted: > > > >> VIRUS NAME: Pdf.Exploit.CVE_2017_3039-6300177-2 > >> TDB: Engine:81-255,Target:10 > >> LOGICAL EXPRESSION: 0&1&2=0 > >> * SUBSIG ID 0 > >> +-> OFFSET: ANY > >> +-> SIGMOD: NONE > >> +-> DECODED SUBSIGNATURE: > >> /Adobe.PPKLite/Location{WILDCARD_ANY_STRING(LENGTH<=290)}/SubFilter > >> * SUBSIG ID 1 > >> +-> OFFSET: ANY > >> +-> SIGMOD: NONE > >> +-> DECODED SUBSIGNATURE: > >> /Sig > >> * SUBSIG ID 2 > >> +-> OFFSET: ANY > >> +-> SIGMOD: NONE > >> +-> DECODED SUBSIGNATURE: > >> +-> TRIGGER: 0&1 > >> +-> REGEX: \x2fSubFilter(.{0,50})\x2fadbe\x2e(.{1,20})\x2fType\ > s*\x2fSig > >> +-> CFLAGS: sm > > > > -Al- > > > > On Tue, May 02, 2017 at 12:38 AM, Al Varnell wrote: > >> > >> It never appeared on a daily as being dropped, but when I checked on > Saturday and again just now, I can't find it: > >> > >>> $ sigtool --find Pdf.Exploit.CVE_2017_3039-6300177-0 > >>> $ > >> > >> I don't think it is related, but there was an issue with DNS that > stopped all updates after 23343 late Saturday until mid morning Monday > Pacific Time. > >> > >> -Al- > >> > >> On Tue, May 02, 2017 at 12:27 AM, Vladislav Kurz wrote: > >>> > >>> Hello, > >>> > >>> did you really drop the signature? > >>> > >>> During the weekend scan (clamscan), we got 45 false positives. > According > >>> to file names, they seem to be signed official PDF documents from > goverment. > >>> > >>> On 04/28/17 17:16, Christopher Marczewski wrote: > >>>> Thanks for the reports. We'll be modifying the signature. > >>>> > >>>> In the interim, I've dropped the current signature. > >>>> > >>>> On Fri, Apr 28, 2017 at 11:01 AM, Vladislav Kurz < > [email protected] > >>>>> wrote: > >>>> > >>>>> I have the same problem, and already submitted a false positive > report. > >>>>> In our case it was a signad pdf, so I suspect that the signature > makes > >>>>> it FP. But I have no idea how to work around it now. Maybe disable > pdf > >>>>> scanning? > >>>>> > >>>>> On 04/28/17 16:47, Giuseppe Ravasio wrote: > >>>>>> Hi, > >>>>>> since this morning daily signature update 23337 > >>>>>> and even with the latest one 23338 > >>>>>> my amavis flags some emails with PDF attachments as virus: > >>>>>> Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND > >>>>>> > >>>>>> Checking the PDF with other AVs and even with clamscan (on the same > >>>>>> server) results in a clean file: > >>>>>> > >>>>>> beppe@thot:/tmp$ clamscan TCA.pdf > >>>>>> TCA.pdf: OK > >>>>>> > >>>>>> ----------- SCAN SUMMARY ----------- > >>>>>> Known viruses: 6272759 > >>>>>> Engine version: 0.99.2 > >>>>>> Scanned directories: 0 > >>>>>> Scanned files: 1 > >>>>>> Infected files: 0 > >>>>>> Data scanned: 0.22 MB > >>>>>> Data read: 0.08 MB (ratio 2.71:1) > >>>>>> Time: 17.277 sec (0 m 17 s) > >>>>>> > >>>>>> if I check the file with clamdscan I get the virus found: > >>>>>> beppe@thot:/tmp$ clamdscan TCA.pdf > >>>>>> /tmp/TCA.pdf: Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND > >>>>>> > >>>>>> ----------- SCAN SUMMARY ----------- > >>>>>> Infected files: 1 > >>>>>> Time: 0.032 sec (0 m 0 s) > >>>>>> > >>>>>> Any hints on how to solve the problem? > >>>>>> > >>>>>> Thanks > >>>>>> Giuseppe > >>>>>> _______________________________________________ > >>>>>> clamav-users mailing list > >>>>>> [email protected] > >>>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > >>>>>> > >>>>>> > >>>>>> Help us build a comprehensive ClamAV guide: > >>>>>> https://github.com/vrtadmin/clamav-faq > >>>>>> > >>>>>> http://www.clamav.net/contact.html#ml > >>>>>> > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> clamav-users mailing list > >>>>> [email protected] > >>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > >>>>> > >>>>> > >>>>> Help us build a comprehensive ClamAV guide: > >>>>> https://github.com/vrtadmin/clamav-faq > >>>>> > >>>>> http://www.clamav.net/contact.html#ml > >> > >> -Al- > > > > -Al- > > > > > > > > _______________________________________________ > > clamav-users mailing list > > [email protected] > > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > > _______________________________________________ > clamav-users mailing list > [email protected] > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > -- -- Christopher Marczewski Research Engineer Talos Group [email protected] Phone: 443.832.2975 _______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
