On -10/01/37 20:59, Johannes Schulz wrote:
> "sigtool -fPUA.PDF.OpenActionObject|sigtool --decode-sigs" says:
> VIRUS NAME: PUA.PDF.OpenActionObject
> TARGET TYPE: ANY FILE
> OFFSET: 0
> DECODED SIGNATURE:
> %PDF-{WILDCARD_ANY_STRING}obj{WILDCARD_ANY_STRING(LENGTH<=2)}<<{WILDCARD_ANY_STRING}/OpenAction
Hi,
As of today a bunch of old PDFs on my system were also flagged with
this. They had been composed in OpenOffice.org Writer and contained:
> /OpenAction[1 0 R /XYZ null null 0]
Also due to the same update (daily 13008) I had a ~1MiB PDF document
made by ImageMagick flagged by:
> VIRUS NAME: PUA.PDF.EmbeddedJS
> TARGET TYPE: ANY FILE
> OFFSET: 0
> DECODED SIGNATURE:
> %PDF-{WILDCARD_ANY_STRING}obj{WILDCARD_ANY_STRING(LENGTH<=2)}<<{WILDCARD_ANY_STRING}/JS
...because halfway through the file, inside some image data, were the
characters "/JS".
Surely this is going to cause many false detections? Like maybe 1 in 16
out of all PDFs over 1MiB.
Regards,
--
Steven Chamberlain
ste...@pyro.eu.org
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://www.clamav.net/support/ml
