Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Thanks for the feedback Jeff. -- Joel Esler | Talos: Manager | jes...@cisco.com On Nov 30, 2016, at 6:16 PM, Jeff Dyke > wrote: Just a user or not Al, thanks for the quick update!! Also thank you to the folks that

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Just a user or not Al, thanks for the quick update!! Also thank you to the folks that looked into this. I just rescanned everything i posted after running freshclam and it checks out. Thanks for the efforts! On Wed, Nov 30, 2016 at 5:44 PM, Al Varnell wrote: > And the

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

And the signature appears to have been dropped in daily - 22632. -Al- On Wed, Nov 30, 2016 at 02:39 PM, Al Varnell wrote: > > Let me add a couple of things here. > > - This isn't my site, I'm just a fellow user trying to help get you an answer. > > - Normally, it isn't necessary to provide

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Let me add a couple of things here. - This isn't my site, I'm just a fellow user trying to help get you an answer. - Normally, it isn't necessary to provide the hash for an FP submission unless you find a pressing need to discuss it on this list. As Joel said, it helps the team locate what we

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

The team is working on this, as we speak. -- Joel Esler | Talos: Manager | jes...@cisco.com On Nov 30, 2016, at 10:23 AM, Jeff Dyke > wrote: Thanks Joel and Al, hopefully my hashes, files and virustotal urls are

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Thanks Joel and Al, hopefully my hashes, files and virustotal urls are helpful. Jeff On Wed, Nov 30, 2016 at 10:21 AM, Joel Esler (jesler) wrote: > Gene, > > Al was simply asking, as he knows we may ask, and it helps us identify the > file faster. Otherwise we have to search

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Gene, Al was simply asking, as he knows we may ask, and it helps us identify the file faster. Otherwise we have to search through and look for the sender email, which, sometimes does not match up. -- Joel Esler | Talos: Manager | jes...@cisco.com On Nov 30,

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

On Wednesday 30 November 2016 06:26:44 Ralf Hildebrandt wrote: > * Ralf Hildebrandt : > > * Al Varnell : > > > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > > > > * Al Varnell : > > > >> Has anybody submitted a PDF

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

On Wednesday 30 November 2016 05:50:07 Al Varnell wrote: > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > > * Al Varnell : > >> Has anybody submitted a PDF yet? > > > > Of course. > > Hash? > > -Al- Your site does not ask for a hash, nor does it specify how to

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

On Wednesday 30 November 2016 05:29:42 Al Varnell wrote: > Has anybody submitted a PDF yet? Normally, nothing can happen until > they have at least one example. Once somebody has a sample they are > allowed to submit, return here with a hash value of the submitted file > so they can expedite

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

I did, multiple. I submitted them again, plus new ones i have found since i first submitted sha256 - short file name - virus total url 52457b84faac951b961273cba7fe5f462e9edef14aee394f49981770eb75337e DCBPOS.pdf

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

gth\x20(1[7-9]|[2-9]\d|1\d{2}))/ [daily.hdb] 71dfd9f2a567c2172e530a8c1a97ece3:36378:Pdf.Malware.Agent-1765857 DH - Original Message - From: "Ralf Hildebrandt" <ralf.hildebra...@charite.de> To: clamav-users@lists.clamav.net Sent: Wednesday, November 30, 20

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

* Ralf Hildebrandt : > * Al Varnell : > > > > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > > > > > > * Al Varnell : > > >> Has anybody submitted a PDF yet? > > > > > > Of course. > > > > Hash? > >

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

* Al Varnell : > > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > > > > * Al Varnell : > >> Has anybody submitted a PDF yet? > > > > Of course. > > Hash? 8d62c398679ab6c7b85749eacf7a9a80 -- Ralf Hildebrandt Charite

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

On Wed, November 30, 2016 10:50 am, Al Varnell wrote: > > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > >> >> * Al Varnell : >> >>> Has anybody submitted a PDF yet? >>> >> >> Of course. >> > > Hash? Here's one example I saw in a forum... Source:

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > > * Al Varnell : >> Has anybody submitted a PDF yet? > > Of course. Hash? -Al- -- Al Varnell Mountain View, CA smime.p7s Description: S/MIME cryptographic signature

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

* Al Varnell : > Has anybody submitted a PDF yet? Of course. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Has anybody submitted a PDF yet? Normally, nothing can happen until they have at least one example. Once somebody has a sample they are allowed to submit, return here with a hash value of the submitted file so they can expedite processing. -Al- On Wed, Nov 30, 2016 at 02:26 AM, maxal wrote: >

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

hi, On Tue, 2016-11-29 at 15:46 -0500, Gene Heskett wrote: > On Tuesday 29 November 2016 11:53:03 Jeff Dyke wrote: > > > > > Is there any way to get updates on a false positives(i submitted > > this > > about a week or so ago), if it is or is not, i still find these. In > > my > > case they

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

On Tuesday 29 November 2016 11:53:03 Jeff Dyke wrote: > Is there any way to get updates on a false positives(i submitted this > about a week or so ago), if it is or is not, i still find these. In my > case they seem to be ok coming from the printer, but then a > non-technical person opens and

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Is there any way to get updates on a false positives(i submitted this about a week or so ago), if it is or is not, i still find these. In my case they seem to be ok coming from the printer, but then a non-technical person opens and saves the file with a different name (rather than just rename it)

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

I also submitted an FP a few days ago. I'm not as much of a fan of whitelisting what could be a fairly serious exploit that i'd be allowing people to download if it were valid. Hopefully it will be fixed up soon. The documents i found it in are public, so if there is way to expedite the process,

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Hello, Am 23.11.2016 um 16:10 schrieb Ralf Hildebrandt: * Hajo Locke : Hello, unfortunately we have some problems with FP Pdf.Exploit.CVE_2016_1091-2 Customer was testing at virustotal and only clamav is finding a virus. Unfortunately i can not do a FP-Report. All PDFs are

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

* Hajo Locke : > Hello, > > unfortunately we have some problems with FP Pdf.Exploit.CVE_2016_1091-2 > Customer was testing at virustotal and only clamav is finding a virus. > Unfortunately i can not do a FP-Report. All PDFs are property of costumers > and not public. I