Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

[Joel Esler (jesler)]

Thanks for the feedback Jeff.

--
Joel Esler | Talos: Manager | jes...@cisco.com






On Nov 30, 2016, at 6:16 PM, Jeff Dyke 
mailto:jeff.d...@gmail.com>> wrote:

Just a user or not Al, thanks for the quick update!!  Also thank you to the
folks that looked into this. I just rescanned everything i posted after
running freshclam and it checks out.

Thanks for the efforts!

On Wed, Nov 30, 2016 at 5:44 PM, Al Varnell 
mailto:alvarn...@mac.com>> wrote:

And the signature appears to have been dropped in daily - 22632.

-Al-

On Wed, Nov 30, 2016 at 02:39 PM, Al Varnell wrote:

Let me add a couple of things here.

- This isn't my site, I'm just a fellow user trying to help get you an
answer.

- Normally, it isn't necessary to provide the hash for an FP submission
unless you find a pressing need to discuss it on this list. As Joel said,
it helps the team locate what we are talking about to post hash values
about such submissions here. Most of us here know how to use sigtool or
other utilities to obtain a hash value, but I would have gladly provided
that info to anybody that asked.

-Al-

On Wed, Nov 30, 2016 at 06:54 AM, Gene Heskett wrote:

On Wednesday 30 November 2016 05:50:07 Al Varnell wrote:

On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote:
* Al Varnell mailto:alvarn...@mac.com>>:
Has anybody submitted a PDF yet?

Of course.

Hash?

-Al-

Your site does not ask for a hash, nor does it specify how to obtain it.
It asked for the file, so thats what I sent.

Cheers, Gene Heskett

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

[Jeff Dyke]

Just a user or not Al, thanks for the quick update!!  Also thank you to the
folks that looked into this. I just rescanned everything i posted after
running freshclam and it checks out.

Thanks for the efforts!

On Wed, Nov 30, 2016 at 5:44 PM, Al Varnell  wrote:

> And the signature appears to have been dropped in daily - 22632.
>
> -Al-
>
> On Wed, Nov 30, 2016 at 02:39 PM, Al Varnell wrote:
> >
> > Let me add a couple of things here.
> >
> > - This isn't my site, I'm just a fellow user trying to help get you an
> answer.
> >
> > - Normally, it isn't necessary to provide the hash for an FP submission
> unless you find a pressing need to discuss it on this list. As Joel said,
> it helps the team locate what we are talking about to post hash values
> about such submissions here. Most of us here know how to use sigtool or
> other utilities to obtain a hash value, but I would have gladly provided
> that info to anybody that asked.
> >
> > -Al-
> >
> > On Wed, Nov 30, 2016 at 06:54 AM, Gene Heskett wrote:
> >>
> >> On Wednesday 30 November 2016 05:50:07 Al Varnell wrote:
> >>
> >>> On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote:
>  * Al Varnell :
> > Has anybody submitted a PDF yet?
> 
>  Of course.
> >>>
> >>> Hash?
> >>>
> >>> -Al-
> >>
> >> Your site does not ask for a hash, nor does it specify how to obtain it.
> >> It asked for the file, so thats what I sent.
> >>
> >> Cheers, Gene Heskett
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

[Al Varnell]

And the signature appears to have been dropped in daily - 22632.

-Al-

On Wed, Nov 30, 2016 at 02:39 PM, Al Varnell wrote:
> 
> Let me add a couple of things here.
> 
> - This isn't my site, I'm just a fellow user trying to help get you an answer.
> 
> - Normally, it isn't necessary to provide the hash for an FP submission 
> unless you find a pressing need to discuss it on this list. As Joel said, it 
> helps the team locate what we are talking about to post hash values about 
> such submissions here. Most of us here know how to use sigtool or other 
> utilities to obtain a hash value, but I would have gladly provided that info 
> to anybody that asked.
> 
> -Al-
> 
> On Wed, Nov 30, 2016 at 06:54 AM, Gene Heskett wrote:
>> 
>> On Wednesday 30 November 2016 05:50:07 Al Varnell wrote:
>> 
>>> On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote:
 * Al Varnell :
> Has anybody submitted a PDF yet?
 
 Of course.
>>> 
>>> Hash?
>>> 
>>> -Al-
>> 
>> Your site does not ask for a hash, nor does it specify how to obtain it. 
>> It asked for the file, so thats what I sent.
>> 
>> Cheers, Gene Heskett


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

[Al Varnell]

Let me add a couple of things here.

- This isn't my site, I'm just a fellow user trying to help get you an answer.

- Normally, it isn't necessary to provide the hash for an FP submission unless 
you find a pressing need to discuss it on this list. As Joel said, it helps the 
team locate what we are talking about to post hash values about such 
submissions here. Most of us here know how to use sigtool or other utilities to 
obtain a hash value, but I would have gladly provided that info to anybody that 
asked.

-Al-

On Wed, Nov 30, 2016 at 06:54 AM, Gene Heskett wrote:
> 
> On Wednesday 30 November 2016 05:50:07 Al Varnell wrote:
> 
>> On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote:
>>> * Al Varnell :
 Has anybody submitted a PDF yet?
>>> 
>>> Of course.
>> 
>> Hash?
>> 
>> -Al-
> 
> Your site does not ask for a hash, nor does it specify how to obtain it. 
> It asked for the file, so thats what I sent.
> 
> Cheers, Gene Heskett


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

[Joel Esler (jesler)]

The team is working on this, as we speak.

--
Joel Esler | Talos: Manager | jes...@cisco.com






On Nov 30, 2016, at 10:23 AM, Jeff Dyke 
mailto:jeff.d...@gmail.com>> wrote:

Thanks Joel and Al, hopefully my hashes, files and virustotal urls are
helpful.

Jeff

On Wed, Nov 30, 2016 at 10:21 AM, Joel Esler (jesler) 
mailto:jes...@cisco.com>>
wrote:

Gene,

Al was simply asking, as he knows we may ask, and it helps us identify the
file faster.  Otherwise we have to search through and look for the sender
email, which, sometimes does not match up.


--
Joel Esler | Talos: Manager | 
jes...@cisco.com






On Nov 30, 2016, at 9:54 AM, Gene Heskett 
mailto:ghesk...@shentel.net>mailto:hesk...@shentel.net>>> wrote:

On Wednesday 30 November 2016 05:50:07 Al Varnell wrote:

On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote:
* Al Varnell 
mailto:alvarn...@mac.com>>:
Has anybody submitted a PDF yet?

Of course.

Hash?

-Al-

Your site does not ask for a hash, nor does it specify how to obtain it.
It asked for the file, so thats what I sent.

Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

[Jeff Dyke]

Thanks Joel and Al, hopefully my hashes, files and virustotal urls are
helpful.

Jeff

On Wed, Nov 30, 2016 at 10:21 AM, Joel Esler (jesler) 
wrote:

> Gene,
>
> Al was simply asking, as he knows we may ask, and it helps us identify the
> file faster.  Otherwise we have to search through and look for the sender
> email, which, sometimes does not match up.
>
>
> --
> Joel Esler | Talos: Manager | jes...@cisco.com
>
>
>
>
>
>
> On Nov 30, 2016, at 9:54 AM, Gene Heskett  hesk...@shentel.net>> wrote:
>
> On Wednesday 30 November 2016 05:50:07 Al Varnell wrote:
>
> On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote:
> * Al Varnell mailto:alvarn...@mac.com>>:
> Has anybody submitted a PDF yet?
>
> Of course.
>
> Hash?
>
> -Al-
>
> Your site does not ask for a hash, nor does it specify how to obtain it.
> It asked for the file, so thats what I sent.
>
> Cheers, Gene Heskett
> --
> "There are four boxes to be used in defense of liberty:
> soap, ballot, jury, and ammo. Please use in that order."
> -Ed Howdershelt (Author)
> Genes Web page 
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

[Joel Esler (jesler)]

Gene,

Al was simply asking, as he knows we may ask, and it helps us identify the file 
faster.  Otherwise we have to search through and look for the sender email, 
which, sometimes does not match up.


--
Joel Esler | Talos: Manager | jes...@cisco.com






On Nov 30, 2016, at 9:54 AM, Gene Heskett 
mailto:ghesk...@shentel.net>> wrote:

On Wednesday 30 November 2016 05:50:07 Al Varnell wrote:

On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote:
* Al Varnell mailto:alvarn...@mac.com>>:
Has anybody submitted a PDF yet?

Of course.

Hash?

-Al-

Your site does not ask for a hash, nor does it specify how to obtain it.
It asked for the file, so thats what I sent.

Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

[Gene Heskett]

On Wednesday 30 November 2016 06:26:44 Ralf Hildebrandt wrote:

> * Ralf Hildebrandt :
> > * Al Varnell :
> > > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote:
> > > > * Al Varnell :
> > > >> Has anybody submitted a PDF yet?
> > > >
> > > > Of course.
> > >
> > > Hash?
> >
> > 8d62c398679ab6c7b85749eacf7a9a80
>
> generated by md5sum

And mine on the Motorola programming pdf is:

71088fd59e56b99e5d5f0602251e7734

also generated by md5sum.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

[Gene Heskett]

On Wednesday 30 November 2016 05:50:07 Al Varnell wrote:

> On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote:
> > * Al Varnell :
> >> Has anybody submitted a PDF yet?
> >
> > Of course.
>
> Hash?
>
> -Al-

Your site does not ask for a hash, nor does it specify how to obtain it. 
It asked for the file, so thats what I sent.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

[Gene Heskett]

On Wednesday 30 November 2016 05:29:42 Al Varnell wrote:

> Has anybody submitted a PDF yet? Normally, nothing can happen until
> they have at least one example. Once somebody has a sample they are
> allowed to submit, return here with a hash value of the submitted file
> so they can expedite processing.
>
> -Al-

I did Al, how many more copies of it does it take?

> On Wed, Nov 30, 2016 at 02:26 AM, maxal wrote:
> > hi,
> >
> > On Tue, 2016-11-29 at 15:46 -0500, Gene Heskett wrote:
> >> On Tuesday 29 November 2016 11:53:03 Jeff Dyke wrote:
> >>> Is there any way to get updates on a false positives(i submitted
> >>> this
> >>> about a week or so ago), if it is or is not, i still find these.
> >>> In my
> >>> case they seem to be ok coming from the printer, but then a
> >>> non-technical person opens and saves the file with a different
> >>> name (rather than just rename it) which activates this particular
> >>> exploit,
> >>> which we've proven by going and grabbing directly from the printer
> >>> and
> >>> then having the client open and resave and send us both documents.
> >>>
> >>> We're in the type of business where it would open us up to a ton
> >>> of liability if we were to white list, without knowing, have have
> >>> a site
> >>> user download an infected file.
> >>>
> >>> Thanks, happy to do anything i can.
> >>>
> >>> Jeff
> >>
> >> I too have submitted an FP report on this one, but haven't been
> >> advised
> >> about it either. IMO it is as phony as a 3 dollar bill.
> >
> > also numerous hits on this rule on valid/harmless pdfs here - i have
> > already reported the fp last week and disabled/whitelisted the rule
> > due to customer complaints.
> >
> > why is cisco/clamav ignoring all the reports? is this part of the
> > automated (signature) processing? ~10 days of waiting for a
> > signature- fix is hard, the rule was published on:
> >
> > Nov 20, 2016, 3:18 PM
> > Datefile: daily
> > Version: 22573
> > Publisher: Alain Zidouemba
> > New Sigs: 1187
> > Dropped Sigs: 0
> > Ignored Sigs: 54
> >
> > kind regards
> > max


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

[Jeff Dyke]

I did, multiple.  I submitted them again, plus new ones i have found since
i first submitted

sha256 - short file name - virus total url
52457b84faac951b961273cba7fe5f462e9edef14aee394f49981770eb75337e
 DCBPOS.pdf
https://www.virustotal.com/en/file/52457b84faac951b961273cba7fe5f462e9edef14aee394f49981770eb75337e/analysis/
b8db675df50b388df3f5c75f90e3c873fdf40995d7ac3015baf9a2b500fdf9d9  DCGO.pdf
https://www.virustotal.com/en/file/b8db675df50b388df3f5c75f90e3c873fdf40995d7ac3015baf9a2b500fdf9d9/analysis/1480515235/
e315fc04ef2aceb114034319ed1b69213cd996ce25d9a679a3510f8bc8d7100b  DCREV.pdf
https://www.virustotal.com/en/file/e315fc04ef2aceb114034319ed1b69213cd996ce25d9a679a3510f8bc8d7100b/analysis/1480515167/⋅
7fa8858395b9ad9c9a2f8c6839e2b19893feb492c6c43f049ab88a7b3ecdc58d
 JEAElec.pdf
https://www.virustotal.com/en/file/7fa8858395b9ad9c9a2f8c6839e2b19893feb492c6c43f049ab88a7b3ecdc58d/analysis/1480514846/
8f0494b6e9efbff2cb61d4f900c131366adf5949a104a58d34d74497277112ca  MMGO.pdf
https://www.virustotal.com/en/file/8f0494b6e9efbff2cb61d4f900c131366adf5949a104a58d34d74497277112ca/analysis/
4196c9c04c67e2a2d687f7f658f695cd0364e074602427de1242fc1fa2d63b31
 MMGaming.pdf
https://www.virustotal.com/en/file/4196c9c04c67e2a2d687f7f658f695cd0364e074602427de1242fc1fa2d63b31/analysis/1480514960/
09c1206cc0e48b9ac2340bbd82729b33d6f000d23e3e0a95682b395af00c0bca
 OCFLTaxRef.pdf
https://www.virustotal.com/en/file/09c1206cc0e48b9ac2340bbd82729b33d6f000d23e3e0a95682b395af00c0bca/analysis/
2473ce57a89154f0202185b5701ddcfcfd76e3e6263735fa7f61cbfe9cd54d43
 WPPI_Energy.pdf
https://www.virustotal.com/en/file/2473ce57a89154f0202185b5701ddcfcfd76e3e6263735fa7f61cbfe9cd54d43/analysis/1480514740/
8f40782bb1d729eac8d47733e6b3fa2a6a1d708c43342fed7f997551491620ac  water.pdf
https://www.virustotal.com/en/file/8f40782bb1d729eac8d47733e6b3fa2a6a1d708c43342fed7f997551491620ac/analysis/1480514926/

Jeff

On Wed, Nov 30, 2016 at 6:26 AM, Ralf Hildebrandt <
ralf.hildebra...@charite.de> wrote:

> * Ralf Hildebrandt :
> > * Al Varnell :
> > >
> > > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote:
> > > >
> > > > * Al Varnell :
> > > >> Has anybody submitted a PDF yet?
> > > >
> > > > Of course.
> > >
> > > Hash?
> >
> > 8d62c398679ab6c7b85749eacf7a9a80
>
> generated by md5sum
>
> --
> Ralf Hildebrandt   Charite Universitätsmedizin Berlin
> ralf.hildebra...@charite.deCampus Benjamin Franklin
> http://www.charite.de  Hindenburgdamm 30, 12203 Berlin
> Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

[demonhunter]

The signature is looking for just a few strings that appear to give no 
indication whatsoever that a vulnerability is being exploited. I do not 
understand why this signature was created or why it's taking to long to remove 
it. I added it to a .ign2 file in our system to prevent further false positives 
from occurring. Below is the signature and a breakdown of what it's looking for:

[daily.ldb] 
Pdf.Exploit.CVE_2016_1091-2;Engine:81-255,Target:10;(0&1&2&3)&4;2F4F75746C696E6573;2F4163726F466F726D;2F506167654D6F64652F5573654F75746C696E6573;2F547970652F436174616C6F672F566965776572507265666572656E636573;0&1&2&3/\/Outlines
 (?P\d+) 0 R(.*)(?!P=objid) 0 obj/smi

Strings:

$ echo 2F4F75746C696E6573 | xxd -r -p
/Outlines

$ echo 2F4163726F466F726D | xxd -r -p
/AcroForm

$ echo 2F506167654D6F64652F5573654F75746C696E6573 |pxxd -r - 
/PageMode/UseOutlines

$ echo 2F547970652F436174616C6F672F566965776572507265666572656E636573 | xxd -r 
-p
/Type/Catalog/ViewerPreferences

Regex:

/\/Outlines (?P\d+) 0 R(.*)(?!P=objid) 0 obj/smi


I've seen false positives for several other PDF signatures over the past few 
months, too. Some were caused by signatures like this one, that do not seem to 
correctly identify exploitation of a vulnerability, and others were hashes of 
what appeared to be non-malicious PDF files. Unfortunately I do not have any 
files that match these signatures available to share right now.

These two signatures have caused false positives for us, and ClamAV has since 
removed them from their database:
[daily.ndb] 
Pdf.Exploit.CVE_2016_4207-1:10:*:466F6E744E616D652F4142434445452B826C8272233230835383568362834E
Pdf.Malware.Agent-1806133 (I do not have a copy of this signature readily 
available)

The following two signatures have also caused false positives for us, and are 
still in the official ClamAV database:
[daily.ldb] 
Pdf.Exploit.CVE_2016_3370-1;Engine:81-255,Target:10;1;2f4346{-60}2f417574684576656e742f446f634f70656e2f43464d{-10}5632{-20}2f4c656e677468;0/(\x2fCF.{2,60}\x2fAuthEvent\x2fDocOpen\x2fCFM.{2,10}V2.{0,20}\x2fLength\x20(1[7-9]|[2-9]\d|1\d{2}))/
[daily.hdb] 71dfd9f2a567c2172e530a8c1a97ece3:36378:Pdf.Malware.Agent-1765857


DH


- Original Message -
From: "Ralf Hildebrandt" 
To: clamav-users@lists.clamav.net
Sent: Wednesday, November 30, 2016 6:26:44 AM
Subject: Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

* Ralf Hildebrandt :
> * Al Varnell :
> > 
> > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote:
> > > 
> > > * Al Varnell :
> > >> Has anybody submitted a PDF yet?
> > > 
> > > Of course.
> > 
> > Hash?
> 
> 8d62c398679ab6c7b85749eacf7a9a80  

generated by md5sum

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de  Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

[Ralf Hildebrandt]

* Ralf Hildebrandt :
> * Al Varnell :
> > 
> > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote:
> > > 
> > > * Al Varnell :
> > >> Has anybody submitted a PDF yet?
> > > 
> > > Of course.
> > 
> > Hash?
> 
> 8d62c398679ab6c7b85749eacf7a9a80  

generated by md5sum

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de  Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

[Ralf Hildebrandt]

* Al Varnell :
> 
> On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote:
> > 
> > * Al Varnell :
> >> Has anybody submitted a PDF yet?
> > 
> > Of course.
> 
> Hash?

8d62c398679ab6c7b85749eacf7a9a80  

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de  Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

[Steve Basford]

On Wed, November 30, 2016 10:50 am, Al Varnell wrote:
>

> On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote:
>
>>
>> * Al Varnell :
>>
>>> Has anybody submitted a PDF yet?
>>>
>>
>> Of course.
>>
>
> Hash?

Here's one example I saw in a forum...

Source:
http://www.ubuntu-es.org/node/191328

Url:

h t t p s : / /
it-bqcom15-media.s3.amazonaws.com/prod/resources/manual/Aquaris_E5s_Gui%CC%81a_completa_de_usuario-1475652714
DOT pdf

VirusTotal:

https://www.virustotal.com/en/file/b1cc8969aff399539d61eba6c42d1a75ecaec0cb656c30b0b844288e2c2aefd6/analysis/1480503855/

Hashes:

MD5 978e240a57fe2cabce4073fba2266520
SHA1 c0e5b4b34b47eaaa8d5b9321279b285bcea67427
SHA256 b1cc8969aff399539d61eba6c42d1a75ecaec0cb656c30b0b844288e2c2aefd6


-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

[Al Varnell]

On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote:
> 
> * Al Varnell :
>> Has anybody submitted a PDF yet?
> 
> Of course.

Hash?

-Al-
-- 
Al Varnell
Mountain View, CA







smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

[Ralf Hildebrandt]

* Al Varnell :
> Has anybody submitted a PDF yet?

Of course.

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de  Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

[Al Varnell]

Has anybody submitted a PDF yet? Normally, nothing can happen until they have 
at least one example. Once somebody has a sample they are allowed to submit, 
return here with a hash value of the submitted file so they can expedite 
processing.

-Al-

On Wed, Nov 30, 2016 at 02:26 AM, maxal wrote:
> 
> hi,
> 
> On Tue, 2016-11-29 at 15:46 -0500, Gene Heskett wrote:
>> On Tuesday 29 November 2016 11:53:03 Jeff Dyke wrote:
>> 
>>> 
>>> Is there any way to get updates on a false positives(i submitted
>>> this
>>> about a week or so ago), if it is or is not, i still find these. In
>>> my
>>> case they seem to be ok coming from the printer, but then a
>>> non-technical person opens and saves the file with a different name
>>> (rather than just rename it) which activates this particular
>>> exploit,
>>> which we've proven by going and grabbing directly from the printer
>>> and
>>> then having the client open and resave and send us both documents.
>>> 
>>> We're in the type of business where it would open us up to a ton of
>>> liability if we were to white list, without knowing, have have a
>>> site
>>> user download an infected file.
>>> 
>>> Thanks, happy to do anything i can.
>>> 
>>> Jeff
>>> 
>> I too have submitted an FP report on this one, but haven't been
>> advised 
>> about it either. IMO it is as phony as a 3 dollar bill.
> 
> also numerous hits on this rule on valid/harmless pdfs here - i have
> already reported the fp last week and disabled/whitelisted the rule due
> to customer complaints.
> 
> why is cisco/clamav ignoring all the reports? is this part of the
> automated (signature) processing? ~10 days of waiting for a signature-
> fix is hard, the rule was published on:
> 
> Nov 20, 2016, 3:18 PM 
> Datefile: daily
> Version: 22573
> Publisher: Alain Zidouemba
> New Sigs: 1187
> Dropped Sigs: 0
> Ignored Sigs: 54
> 
> kind regards
> max


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

[maxal]

hi,

On Tue, 2016-11-29 at 15:46 -0500, Gene Heskett wrote:
> On Tuesday 29 November 2016 11:53:03 Jeff Dyke wrote:
> 
> > 
> > Is there any way to get updates on a false positives(i submitted
> > this
> > about a week or so ago), if it is or is not, i still find these. In
> > my
> > case they seem to be ok coming from the printer, but then a
> > non-technical person opens and saves the file with a different name
> > (rather than just rename it) which activates this particular
> > exploit,
> > which we've proven by going and grabbing directly from the printer
> > and
> > then having the client open and resave and send us both documents.
> > 
> > We're in the type of business where it would open us up to a ton of
> > liability if we were to white list, without knowing, have have a
> > site
> > user download an infected file.
> > 
> > Thanks, happy to do anything i can.
> > 
> > Jeff
> > 
> I too have submitted an FP report on this one, but haven't been
> advised 
> about it either. IMO it is as phony as a 3 dollar bill.

also numerous hits on this rule on valid/harmless pdfs here - i have
already reported the fp last week and disabled/whitelisted the rule due
to customer complaints.

why is cisco/clamav ignoring all the reports? is this part of the
automated (signature) processing? ~10 days of waiting for a signature-
fix is hard, the rule was published on:

Nov 20, 2016, 3:18 PM 
Datefile: daily
Version: 22573
Publisher: Alain Zidouemba
New Sigs: 1187
Dropped Sigs: 0
Ignored Sigs: 54

kind regards
max














___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

[Gene Heskett]

On Tuesday 29 November 2016 11:53:03 Jeff Dyke wrote:

> Is there any way to get updates on a false positives(i submitted this
> about a week or so ago), if it is or is not, i still find these. In my
> case they seem to be ok coming from the printer, but then a
> non-technical person opens and saves the file with a different name
> (rather than just rename it) which activates this particular exploit,
> which we've proven by going and grabbing directly from the printer and
> then having the client open and resave and send us both documents.
>
> We're in the type of business where it would open us up to a ton of
> liability if we were to white list, without knowing, have have a site
> user download an infected file.
>
> Thanks, happy to do anything i can.
>
> Jeff
>
I too have submitted an FP report on this one, but haven't been advised 
about it either. IMO it is as phony as a 3 dollar bill.

> On Wed, Nov 23, 2016 at 12:11 PM, Jeff Dyke  
wrote:
> > I also submitted an FP a few days ago.  I'm not as much of a fan of
> > whitelisting what could be a fairly serious exploit that i'd be
> > allowing people to download if it were valid.  Hopefully it will be
> > fixed up soon. The documents i found it in are public, so if there
> > is way to expedite the process, i'm happy to supply other
> > information.
> >
> > On Wed, Nov 23, 2016 at 10:27 AM, Hajo Locke  
wrote:
> >> Hello,
> >>
> >> Am 23.11.2016 um 16:10 schrieb Ralf Hildebrandt:
> >>> * Hajo Locke :
>  Hello,
> 
>  unfortunately we have some problems with FP
>  Pdf.Exploit.CVE_2016_1091-2 Customer was testing at virustotal
>  and only clamav is finding a virus. Unfortunately i can not do a
>  FP-Report.  All PDFs are property of costumers
>  and not public.
> >>>
> >>> I already did a FP report. It happened with PDFs from "Springer
> >>> Medical". had to diable that signature.
> >>
> >> Thanks. In most cases the clam-team response is quick. Otherwise i
> >> would also do a global whitelisting.
> >>
> >>> I hope there are some additional FP-Reports from other people
> >>> regarding
> >>>
>  this
>  virus to review this signature.
> >>>
> >>> Yep.
> >>>
> >>> Thanks,
> >>
> >> Hajo
> >>
> >> ___
> >> clamav-users mailing list
> >> clamav-users@lists.clamav.net
> >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >>
> >>
> >> Help us build a comprehensive ClamAV guide:
> >> https://github.com/vrtadmin/clamav-faq
> >>
> >> http://www.clamav.net/contact.html#ml
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml


Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

[Jeff Dyke]

Is there any way to get updates on a false positives(i submitted this about
a week or so ago), if it is or is not, i still find these. In my case they
seem to be ok coming from the printer, but then a non-technical person
opens and saves the file with a different name (rather than just rename it)
which activates this particular exploit, which we've proven by going and
grabbing directly from the printer and then having the client open and
resave and send us both documents.

We're in the type of business where it would open us up to a ton of
liability if we were to white list, without knowing, have have a site user
download an infected file.

Thanks, happy to do anything i can.

Jeff

On Wed, Nov 23, 2016 at 12:11 PM, Jeff Dyke  wrote:

> I also submitted an FP a few days ago.  I'm not as much of a fan of
> whitelisting what could be a fairly serious exploit that i'd be allowing
> people to download if it were valid.  Hopefully it will be fixed up soon.
> The documents i found it in are public, so if there is way to expedite the
> process, i'm happy to supply other information.
>
> On Wed, Nov 23, 2016 at 10:27 AM, Hajo Locke  wrote:
>
>> Hello,
>>
>> Am 23.11.2016 um 16:10 schrieb Ralf Hildebrandt:
>>
>>> * Hajo Locke :
>>>
 Hello,

 unfortunately we have some problems with FP Pdf.Exploit.CVE_2016_1091-2
 Customer was testing at virustotal and only clamav is finding a virus.
 Unfortunately i can not do a FP-Report.  All PDFs are property of
 costumers
 and not public.

>>> I already did a FP report. It happened with PDFs from "Springer
>>> Medical". had to diable that signature.
>>>
>> Thanks. In most cases the clam-team response is quick. Otherwise i would
>> also do a global whitelisting.
>>
>>>
>>> I hope there are some additional FP-Reports from other people regarding
 this
 virus to review this signature.

>>> Yep.
>>>
>>> Thanks,
>> Hajo
>>
>> ___
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

[Jeff Dyke]

I also submitted an FP a few days ago.  I'm not as much of a fan of
whitelisting what could be a fairly serious exploit that i'd be allowing
people to download if it were valid.  Hopefully it will be fixed up soon.
The documents i found it in are public, so if there is way to expedite the
process, i'm happy to supply other information.

On Wed, Nov 23, 2016 at 10:27 AM, Hajo Locke  wrote:

> Hello,
>
> Am 23.11.2016 um 16:10 schrieb Ralf Hildebrandt:
>
>> * Hajo Locke :
>>
>>> Hello,
>>>
>>> unfortunately we have some problems with FP Pdf.Exploit.CVE_2016_1091-2
>>> Customer was testing at virustotal and only clamav is finding a virus.
>>> Unfortunately i can not do a FP-Report.  All PDFs are property of
>>> costumers
>>> and not public.
>>>
>> I already did a FP report. It happened with PDFs from "Springer
>> Medical". had to diable that signature.
>>
> Thanks. In most cases the clam-team response is quick. Otherwise i would
> also do a global whitelisting.
>
>>
>> I hope there are some additional FP-Reports from other people regarding
>>> this
>>> virus to review this signature.
>>>
>> Yep.
>>
>> Thanks,
> Hajo
>
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

[Hajo Locke]

Hello,

Am 23.11.2016 um 16:10 schrieb Ralf Hildebrandt:

* Hajo Locke :

Hello,

unfortunately we have some problems with FP Pdf.Exploit.CVE_2016_1091-2
Customer was testing at virustotal and only clamav is finding a virus.
Unfortunately i can not do a FP-Report.  All PDFs are property of costumers
and not public.

I already did a FP report. It happened with PDFs from "Springer
Medical". had to diable that signature.
Thanks. In most cases the clam-team response is quick. Otherwise i would 
also do a global whitelisting.



I hope there are some additional FP-Reports from other people regarding this
virus to review this signature.

Yep.


Thanks,
Hajo
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

[Ralf Hildebrandt]

* Hajo Locke :
> Hello,
> 
> unfortunately we have some problems with FP Pdf.Exploit.CVE_2016_1091-2
> Customer was testing at virustotal and only clamav is finding a virus.
> Unfortunately i can not do a FP-Report.  All PDFs are property of costumers
> and not public.

I already did a FP report. It happened with PDFs from "Springer
Medical". had to diable that signature.

> I hope there are some additional FP-Reports from other people regarding this
> virus to review this signature.

Yep.

-- 
Ralf Hildebrandt   Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.deCampus Benjamin Franklin
http://www.charite.de  Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

[Hajo Locke]

Hello,

unfortunately we have some problems with FP Pdf.Exploit.CVE_2016_1091-2
Customer was testing at virustotal and only clamav is finding a virus.
Unfortunately i can not do a FP-Report.  All PDFs are property of 
costumers and not public.
I hope there are some additional FP-Reports from other people regarding 
this virus to review this signature.


Thanks,
Hajo
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml