Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Thanks Joel and Al, hopefully my hashes, files and virustotal urls are helpful. Jeff On Wed, Nov 30, 2016 at 10:21 AM, Joel Esler (jesler) wrote: > Gene, > > Al was simply asking, as he knows we may ask, and it helps us identify the > file faster. Otherwise we have to search

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

The team is working on this, as we speak. -- Joel Esler | Talos: Manager | jes...@cisco.com On Nov 30, 2016, at 10:23 AM, Jeff Dyke > wrote: Thanks Joel and Al, hopefully my hashes, files and virustotal urls are

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Gene, Al was simply asking, as he knows we may ask, and it helps us identify the file faster. Otherwise we have to search through and look for the sender email, which, sometimes does not match up. -- Joel Esler | Talos: Manager | jes...@cisco.com On Nov 30,

Re: [clamav-users] BKF archives scanable by ClamAV?

On Tue, November 29, 2016 9:26 pm, Fr34k wrote: > Hello ClamAV Experts, > Can ClamAV scan within Windows BKF archives? > Both the Clam AntiVirus 0.99.1User Manual and my Internet searches thus > far suggest the answer is, sadly, "no".I presume this may be due to the > age of .bkf usage.  

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > > * Al Varnell : >> Has anybody submitted a PDF yet? > > Of course. Hash? -Al- -- Al Varnell Mountain View, CA smime.p7s Description: S/MIME cryptographic signature

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

* Al Varnell : > > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > > > > * Al Varnell : > >> Has anybody submitted a PDF yet? > > > > Of course. > > Hash? 8d62c398679ab6c7b85749eacf7a9a80 -- Ralf Hildebrandt Charite

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

hi, On Tue, 2016-11-29 at 15:46 -0500, Gene Heskett wrote: > On Tuesday 29 November 2016 11:53:03 Jeff Dyke wrote: > > > > > Is there any way to get updates on a false positives(i submitted > > this > > about a week or so ago), if it is or is not, i still find these. In > > my > > case they

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Has anybody submitted a PDF yet? Normally, nothing can happen until they have at least one example. Once somebody has a sample they are allowed to submit, return here with a hash value of the submitted file so they can expedite processing. -Al- On Wed, Nov 30, 2016 at 02:26 AM, maxal wrote: >

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

* Al Varnell : > Has anybody submitted a PDF yet? Of course. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

On Wed, November 30, 2016 10:50 am, Al Varnell wrote: > > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > >> >> * Al Varnell : >> >>> Has anybody submitted a PDF yet? >>> >> >> Of course. >> > > Hash? Here's one example I saw in a forum... Source:

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

* Ralf Hildebrandt : > * Al Varnell : > > > > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > > > > > > * Al Varnell : > > >> Has anybody submitted a PDF yet? > > > > > > Of course. > > > > Hash? > >

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

The signature is looking for just a few strings that appear to give no indication whatsoever that a vulnerability is being exploited. I do not understand why this signature was created or why it's taking to long to remove it. I added it to a .ign2 file in our system to prevent further false

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Let me add a couple of things here. - This isn't my site, I'm just a fellow user trying to help get you an answer. - Normally, it isn't necessary to provide the hash for an FP submission unless you find a pressing need to discuss it on this list. As Joel said, it helps the team locate what we

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

And the signature appears to have been dropped in daily - 22632. -Al- On Wed, Nov 30, 2016 at 02:39 PM, Al Varnell wrote: > > Let me add a couple of things here. > > - This isn't my site, I'm just a fellow user trying to help get you an answer. > > - Normally, it isn't necessary to provide

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Just a user or not Al, thanks for the quick update!! Also thank you to the folks that looked into this. I just rescanned everything i posted after running freshclam and it checks out. Thanks for the efforts! On Wed, Nov 30, 2016 at 5:44 PM, Al Varnell wrote: > And the

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

On Wednesday 30 November 2016 05:29:42 Al Varnell wrote: > Has anybody submitted a PDF yet? Normally, nothing can happen until > they have at least one example. Once somebody has a sample they are > allowed to submit, return here with a hash value of the submitted file > so they can expedite

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

On Wednesday 30 November 2016 05:50:07 Al Varnell wrote: > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > > * Al Varnell : > >> Has anybody submitted a PDF yet? > > > > Of course. > > Hash? > > -Al- Your site does not ask for a hash, nor does it specify how to

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

On Wednesday 30 November 2016 06:26:44 Ralf Hildebrandt wrote: > * Ralf Hildebrandt : > > * Al Varnell : > > > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > > > > * Al Varnell : > > > >> Has anybody submitted a PDF

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

I did, multiple. I submitted them again, plus new ones i have found since i first submitted sha256 - short file name - virus total url 52457b84faac951b961273cba7fe5f462e9edef14aee394f49981770eb75337e DCBPOS.pdf