So that the signature get updated, if necessary. Either your sample is
actually attempting to exploit CVE-2009-4324 and it's evading detecting
through our current signature (Exploit.PDF.CVE_2009_4324), our your sample
isn't attempting exploit CVE-2009-4324. Either way, your sample would be
helpful in order to determine that.

Thanks,

- Alain

On Tue, Jul 28, 2015 at 11:32 AM, P K <pkopen...@gmail.com> wrote:

> Sure. I will submit but as per clamav Database this signature is already in
> database.
>
> Why we should submit sample again?
>
>
>
> On Tue, Jul 28, 2015 at 4:58 PM, Alain Zidouemba <
> azidoue...@sourcefire.com>
> wrote:
>
> > Yes, please do so. Submit your sample here:
> > http://www.clamav.net/report/report-malware.html and provide the MD5 or
> > SHA256 of the sample you submitted as a reply to this email.
> >
> > Thanks,
> >
> > - Alain
> >
> > On Tue, Jul 28, 2015 at 11:01 AM, Al Varnell <alvarn...@mac.com> wrote:
> >
> > > It does not match the signature for Exploit.PDF.CVE_2009_4324.
> > >
> > > It’s looking for a two part signature:
> > >
> > > In your document there are spaces in the string "/S /JavaScript /JS”
> > which
> > > are not in the signature.
> > >
> > > Your document contains the string "media.newPlayer(null)” whereas the
> > > signature is looking for “this.” in front of it.
> > >
> > > Submit your document for possible addition of new or revised signature.
> >
> >
> > > -Al-
> > >
> > >
> > >
> > > On Tue, Jul 28, 2015 at 03:01 AM, P K wrote:
> > > >
> > > > Hi Guys,
> > > >
> > > > Still waiting for an answer.
> > > >
> > > > On Thu, Jul 23, 2015 at 8:21 PM, P K <pkopen...@gmail.com> wrote:
> > > >
> > > >> Hi Guys,
> > > >>
> > > >> I am testing clamav in my local system to detect POST data's from
> > > network.
> > > >> I am newbie in ClamAv and want to test with real time signatures.
> > > >>
> > > >> I tested with Eicher Test Signature and it works fine.
> > > >>
> > > >> *But ClamAv is unable to detect CVE-2009-4324 with pdf.*
> > > >>
> > > >> I see signature is present in daily.cld and if extracted its present
> > in
> > > >> daily.ldb.
> > > >> Gmail able to detect same pdf as virus.
> > > >>
> > > >> Any help on what wrong in my ClamAv system and to fix it.
> > > >>
> > > >> $ clamscan ~/anti/eicar.com.txt
> > > >> */home/pk/anti/eicar.com.txt: Eicar-Test-Signature FOUND*
> > > >>
> > > >> ----------- SCAN SUMMARY -----------
> > > >> Known viruses: 3898123
> > > >> Engine version: 0.98.6
> > > >> Scanned directories: 0
> > > >> Scanned files: 1
> > > >> Infected files: 1
> > > >> Data scanned: 0.00 MB
> > > >> Data read: 0.00 MB (ratio 0.00:1)
> > > >> Time: 6.480 sec (0 m 6 s)    <--------------- took 6sec to detect
> > normal
> > > >> virus
> > > >>
> > > >> $ clamscan ~/anti_new/virus/exploit.pdf
> > > >>
> > > >> */home/pk/anti_new/virus/exploit.pdf: OK*
> > > >> ----------- SCAN SUMMARY -----------
> > > >> Known viruses: 3898123
> > > >> Engine version: 0.98.6
> > > >> Scanned directories: 0
> > > >> Scanned files: 1
> > > >> Infected files: 0
> > > >> Data scanned: 0.00 MB
> > > >> Data read: 0.00 MB (ratio 0.00:1)
> > > >> Time: 8.100 sec (0 m 8 s)
> > > >>
> > > >> I generated above virus using this link -
> > > >> http://www.decalage.info/exefilter_pdf_exploits
> > > >>
> > > >> I really want to learn ClamAv virus detection and try to enhance it.
> > > >>
> > > >> Thanks
> > > >> --PK
> > > _______________________________________________
> > > Help us build a comprehensive ClamAV guide:
> > > https://github.com/vrtadmin/clamav-faq
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > _______________________________________________
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to