Hi,
ClamAV 0.96 on our mail server is running very well. We ship every day
many PDf files and have some false positive detections
How can we solve the problem?
Today ClamAV found 4 false positives:
xxxxxxxx01:~/ClamAV# clamscan *
2.pdf: Exploit.PDF-34 FOUND
3.pdf: Exploit.PDF-27 FOUND
4.pdf: Exploit.PDF-34 FOUND
5.pdf: Exploit.PDF-34 FOUND
xxxxxxxx01:~/ClamAV# md5sum *
5495fcf7d5c65efbfffe62d23c61db82 2.pdf
df0bac21be65eba95dd597b1cfa82f49 3.pdf
b0a6dbcd1d1c35ca42a0a21234d081cb 4.pdf
73fbd8d4d43031122ca1dff2e8be79c0 5.pdf
I get following results by scanning with the --debug option:
xxxxxxxx01:~/ClamAV# clamscan --debug 2.pdf
LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
LibClamAV debug: cache_check: 5495fcf7d5c65efbfffe62d23c61db82 is negative
LibClamAV debug: Recognized PDF document file
LibClamAV debug: in cli_pdf(/tmp/clamav-7f6fcc2999c5d860981e7913ead92980)
LibClamAV debug: cli_pdf: scanning 1094752 bytes
LibClamAV debug: cli_pdf: Encrypted PDF files not yet supported
LibClamAV debug: Matched signature for file type PDF at 0
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: Exploit.PDF-34 found in descriptor 3
LibClamAV debug: FP SIGNATURE:
5495fcf7d5c65efbfffe62d23c61db82:1094752:Exploit.PDF-34
LibClamAV debug: cli_magic_scandesc: returning 1 at line 2262
xxxxxxxx01:~/ClamAV# clamscan --debug 2.pdf
LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
LibClamAV debug: cache_check: df0bac21be65eba95dd597b1cfa82f49 is negative
LibClamAV debug: Recognized PDF document file
LibClamAV debug: in cli_pdf(/tmp/clamav-6c7247a34d051e7967c0fe9da359b47b)
LibClamAV debug: cli_pdf: scanning 7627256 bytes
LibClamAV debug: cli_pdf: Encrypted PDF files not yet supported
LibClamAV debug: Matched signature for file type PDF at 0
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: Exploit.PDF-27 found in descriptor 3
LibClamAV debug: FP SIGNATURE:
df0bac21be65eba95dd597b1cfa82f49:7627256:Exploit.PDF-27
LibClamAV debug: cli_magic_scandesc: returning 1 at line 2262
3.pdf: Exploit.PDF-27 FOUND
xxxxxxxx01:~/ClamAV# clamscan --debug 4.pdf
LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
LibClamAV debug: cache_check: b0a6dbcd1d1c35ca42a0a21234d081cb is negative
LibClamAV debug: Recognized PDF document file
LibClamAV debug: in cli_pdf(/tmp/clamav-e99c5b60a4917356e48483dd595e6a6d)
LibClamAV debug: cli_pdf: scanning 2588525 bytes
LibClamAV debug: cli_pdf: Encrypted PDF files not yet supported
LibClamAV debug: Matched signature for file type PDF at 0
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: Exploit.PDF-34 found in descriptor 3
LibClamAV debug: FP SIGNATURE:
b0a6dbcd1d1c35ca42a0a21234d081cb:2588525:Exploit.PDF-34
LibClamAV debug: cli_magic_scandesc: returning 1 at line 2262
4.pdf: Exploit.PDF-34 FOUND
xxxxxxxx01:~/ClamAV# clamscan --debug 5.pdf
LibClamAV debug: in cli_magic_scandesc (reclevel: 0/16)
LibClamAV debug: cache_check: 73fbd8d4d43031122ca1dff2e8be79c0 is negative
LibClamAV debug: Recognized PDF document file
LibClamAV debug: in cli_pdf(/tmp/clamav-4a4f30787e2796c7799bbc603452cfc7)
LibClamAV debug: cli_pdf: scanning 1127417 bytes
LibClamAV debug: cli_pdf: Encrypted PDF files not yet supported
LibClamAV debug: Matched signature for file type PDF at 0
LibClamAV debug: hashtab: Freeing hashset, elements: 0, capacity: 0
LibClamAV debug: Exploit.PDF-34 found in descriptor 3
LibClamAV debug: FP SIGNATURE:
73fbd8d4d43031122ca1dff2e8be79c0:1127417:Exploit.PDF-34
LibClamAV debug: cli_magic_scandesc: returning 1 at line 2262
5.pdf: Exploit.PDF-34 FOUND
I know I can whistlisting the file checksum, but I think not a good idea
- is not often the same file sent.
I appreciate every little note and link - thanks
Best Regards
Andreas
HDPnet GmbH
Erwin-Rohde-Str. 18
69120 Heidelberg
Geschaeftsfuehrer: Marc Hermann
Registergericht: Mannheim HRB 337012
Sitz: Heidelberg
Umsatzsteuer ID Nr.: DE 211 257 470
www.hdpnet.de
Diese E-Mail enthaelt vertrauliche und/oder rechtlich geschuetzte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
irrtuemlich erhalten haben, informieren Sie bitte sofort den Absender und
vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
Weitergabe dieser Mail ist nicht gestattet.
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
