Re: [clamav-users] PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1

2016-03-31 Thread Steve Basford 

On Thu, March 31, 2016 7:56 pm, Paul Kosinski wrote:
> I disable Javascript in our PDF viewer. PostScript (which underlies
> PDF) is a Turing-complete executable language, and even has a mechanism
> to read and write files, so it could cause some trouble on its own.

Good idea!

For windows users, http://www.sumatrapdfreader.org/free-pdf-reader.html
doesn't use JavaScript at all, even better ;)

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1

2016-03-31 Thread Paul Kosinski 
I disable Javascript in our PDF viewer. PostScript (which underlies
PDF) is a Turing-complete executable language, and even has a mechanism
to read and write files, so it could cause some trouble on its own.


On Thu, 31 Mar 2016 10:36:18 -0500
Noel Jones  wrote:

> Known malware will still be detected, even if you ignore the
> troublesome PUA sigs.
> 
> These aren't really false positives since the .pdf really does
> contain javascript.  So the sigs are working as intended.
> 
> The alternative is to communicate to your users that .pdf files
> containing javascript are not allowed in email.  Unfortunately,
> *many* legit .pdf files contain javascript.
> 
> This is more of a local policy decision than a tech decision.
> 
> 
>   -- Noel Jones
> 
> 
> 
> On 3/31/2016 9:25 AM, polloxx wrote:
> > That's known to me Steve.
> > I'm afraid malware will not be detected in that case.
> > 
> > P.
> > 
> > On Thu, Mar 31, 2016 at 3:43 PM, Steve Basford <
> > steveb_cla...@sanesecurity.com> wrote:
> > 
> >>
> >> On Thu, March 31, 2016 2:33 pm, polloxx wrote:
> >>> Since the new Clamav database we have a lot more false positives
> >>> for PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1.
> >>> What can we do about this, except disabling PUA?
> >>
> >> Create a local.ign2 with the following lines:
> >>
> >> PUA.Pdf.Trojan.EmbeddedJS-1
> >> PUA.Win.Trojan.EmbeddedPDF-1
> >>
> >> Place in ClamAV database folder and restart clamd
> >>
> >> Cheers,
> >>
> >> Steve
> >> Web : sanesecurity.com
> >> Blog: sanesecurity.blogspot.com
> >> Twitter: @sanesecurity
> >>
> >> ___
> >> Help us build a comprehensive ClamAV guide:
> >> https://github.com/vrtadmin/clamav-faq
> >>
> >> http://www.clamav.net/contact.html#ml

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1

2016-03-31 Thread polloxx 
Thanks Noël.

On Thu, Mar 31, 2016 at 5:36 PM, Noel Jones  wrote:

> Known malware will still be detected, even if you ignore the
> troublesome PUA sigs.
>
> These aren't really false positives since the .pdf really does
> contain javascript.  So the sigs are working as intended.
>
> The alternative is to communicate to your users that .pdf files
> containing javascript are not allowed in email.  Unfortunately,
> *many* legit .pdf files contain javascript.
>
> This is more of a local policy decision than a tech decision.
>
>
>   -- Noel Jones
>
>
>
> On 3/31/2016 9:25 AM, polloxx wrote:
> > That's known to me Steve.
> > I'm afraid malware will not be detected in that case.
> >
> > P.
> >
> > On Thu, Mar 31, 2016 at 3:43 PM, Steve Basford <
> > steveb_cla...@sanesecurity.com> wrote:
> >
> >>
> >> On Thu, March 31, 2016 2:33 pm, polloxx wrote:
> >>> Since the new Clamav database we have a lot more false positives for
> >>> PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1.
> >>> What can we do about this, except disabling PUA?
> >>
> >> Create a local.ign2 with the following lines:
> >>
> >> PUA.Pdf.Trojan.EmbeddedJS-1
> >> PUA.Win.Trojan.EmbeddedPDF-1
> >>
> >> Place in ClamAV database folder and restart clamd
> >>
> >> Cheers,
> >>
> >> Steve
> >> Web : sanesecurity.com
> >> Blog: sanesecurity.blogspot.com
> >> Twitter: @sanesecurity
> >>
> >> ___
> >> Help us build a comprehensive ClamAV guide:
> >> https://github.com/vrtadmin/clamav-faq
> >>
> >> http://www.clamav.net/contact.html#ml
> >>
> > ___
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1

2016-03-31 Thread Noel Jones 
Known malware will still be detected, even if you ignore the
troublesome PUA sigs.

These aren't really false positives since the .pdf really does
contain javascript.  So the sigs are working as intended.

The alternative is to communicate to your users that .pdf files
containing javascript are not allowed in email.  Unfortunately,
*many* legit .pdf files contain javascript.

This is more of a local policy decision than a tech decision.


  -- Noel Jones



On 3/31/2016 9:25 AM, polloxx wrote:
> That's known to me Steve.
> I'm afraid malware will not be detected in that case.
> 
> P.
> 
> On Thu, Mar 31, 2016 at 3:43 PM, Steve Basford <
> steveb_cla...@sanesecurity.com> wrote:
> 
>>
>> On Thu, March 31, 2016 2:33 pm, polloxx wrote:
>>> Since the new Clamav database we have a lot more false positives for
>>> PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1.
>>> What can we do about this, except disabling PUA?
>>
>> Create a local.ign2 with the following lines:
>>
>> PUA.Pdf.Trojan.EmbeddedJS-1
>> PUA.Win.Trojan.EmbeddedPDF-1
>>
>> Place in ClamAV database folder and restart clamd
>>
>> Cheers,
>>
>> Steve
>> Web : sanesecurity.com
>> Blog: sanesecurity.blogspot.com
>> Twitter: @sanesecurity
>>
>> ___
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1

2016-03-31 Thread polloxx 
That's known to me Steve.
I'm afraid malware will not be detected in that case.

P.

On Thu, Mar 31, 2016 at 3:43 PM, Steve Basford <
steveb_cla...@sanesecurity.com> wrote:

>
> On Thu, March 31, 2016 2:33 pm, polloxx wrote:
> > Since the new Clamav database we have a lot more false positives for
> > PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1.
> > What can we do about this, except disabling PUA?
>
> Create a local.ign2 with the following lines:
>
> PUA.Pdf.Trojan.EmbeddedJS-1
> PUA.Win.Trojan.EmbeddedPDF-1
>
> Place in ClamAV database folder and restart clamd
>
> Cheers,
>
> Steve
> Web : sanesecurity.com
> Blog: sanesecurity.blogspot.com
> Twitter: @sanesecurity
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1

2016-03-31 Thread Steve Basford 

On Thu, March 31, 2016 2:33 pm, polloxx wrote:
> Since the new Clamav database we have a lot more false positives for
> PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1.
> What can we do about this, except disabling PUA?

Create a local.ign2 with the following lines:

PUA.Pdf.Trojan.EmbeddedJS-1
PUA.Win.Trojan.EmbeddedPDF-1

Place in ClamAV database folder and restart clamd

Cheers,

Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1

2016-03-31 Thread polloxx 
Since the new Clamav database we have a lot more false positives for
PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1.
What can we do about this, except disabling PUA?

p.
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml