a3e8a7602797c69f6320225e8137d063 exploit.pdf On Tue, Jul 28, 2015 at 5:14 PM, Joel Esler (jesler) <jes...@cisco.com> wrote:
> Can you provide us with the hash for the file? > > -- > Joel Esler > Manager, Threat Intelligence and Open Source > Talos Group > Sent from my iPhone > > On Jul 28, 2015, at 7:43 AM, P K <pkopen...@gmail.com<mailto: > pkopen...@gmail.com>> wrote: > > Sure. I uploaded same. I wanted someone else to try to make sure its issue > with clamav. > > Can you point me any other real virus(except eicar) to try to make sure my > clamAv working properly. > > I want to try clamav by sending real virus file. > > Thanks > --Pk > ---------- Forwarded message ---------- > From: Alain Zidouemba <azidoue...@sourcefire.com<mailto: > azidoue...@sourcefire.com>> > Date: Tue, Jul 28, 2015 at 5:07 PM > Subject: Re: [clamav-users] Unable to detect pdf virus > To: ClamAV users ML <clamav-users@lists.clamav.net<mailto: > clamav-users@lists.clamav.net>> > > > So that the signature get updated, if necessary. Either your sample is > actually attempting to exploit CVE-2009-4324 and it's evading detecting > through our current signature (Exploit.PDF.CVE_2009_4324), our your sample > isn't attempting exploit CVE-2009-4324. Either way, your sample would be > helpful in order to determine that. > > Thanks, > > - Alain > > On Tue, Jul 28, 2015 at 11:32 AM, P K <pkopen...@gmail.com<mailto: > pkopen...@gmail.com>> wrote: > > Sure. I will submit but as per clamav Database this signature is already > in > database. > > Why we should submit sample again? > > > > On Tue, Jul 28, 2015 at 4:58 PM, Alain Zidouemba < > azidoue...@sourcefire.com<mailto:azidoue...@sourcefire.com>> > wrote: > > Yes, please do so. Submit your sample here: > http://www.clamav.net/report/report-malware.html and provide the MD5 or > SHA256 of the sample you submitted as a reply to this email. > > Thanks, > > - Alain > > On Tue, Jul 28, 2015 at 11:01 AM, Al Varnell <alvarn...@mac.com<mailto: > alvarn...@mac.com>> wrote: > > It does not match the signature for Exploit.PDF.CVE_2009_4324. > > It’s looking for a two part signature: > > In your document there are spaces in the string "/S /JavaScript /JS” > which > are not in the signature. > > Your document contains the string "media.newPlayer(null)” whereas the > signature is looking for “this.” in front of it. > > Submit your document for possible addition of new or revised > signature. > > > -Al- > > > > On Tue, Jul 28, 2015 at 03:01 AM, P K wrote: > > Hi Guys, > > Still waiting for an answer. > > On Thu, Jul 23, 2015 at 8:21 PM, P K <pkopen...@gmail.com<mailto: > pkopen...@gmail.com>> wrote: > > Hi Guys, > > I am testing clamav in my local system to detect POST data's from > network. > I am newbie in ClamAv and want to test with real time signatures. > > I tested with Eicher Test Signature and it works fine. > > *But ClamAv is unable to detect CVE-2009-4324 with pdf.* > > I see signature is present in daily.cld and if extracted its > present > in > daily.ldb. > Gmail able to detect same pdf as virus. > > Any help on what wrong in my ClamAv system and to fix it. > > $ clamscan ~/anti/eicar.com.txt > */home/pk/anti/eicar.com.txt: Eicar-Test-Signature FOUND* > > ----------- SCAN SUMMARY ----------- > Known viruses: 3898123 > Engine version: 0.98.6 > Scanned directories: 0 > Scanned files: 1 > Infected files: 1 > Data scanned: 0.00 MB > Data read: 0.00 MB (ratio 0.00:1) > Time: 6.480 sec (0 m 6 s) <--------------- took 6sec to detect > normal > virus > > $ clamscan ~/anti_new/virus/exploit.pdf > > */home/pk/anti_new/virus/exploit.pdf: OK* > ----------- SCAN SUMMARY ----------- > Known viruses: 3898123 > Engine version: 0.98.6 > Scanned directories: 0 > Scanned files: 1 > Infected files: 0 > Data scanned: 0.00 MB > Data read: 0.00 MB (ratio 0.00:1) > Time: 8.100 sec (0 m 8 s) > > I generated above virus using this link - > http://www.decalage.info/exefilter_pdf_exploits > > I really want to learn ClamAv virus detection and try to enhance > it. > > Thanks > --PK > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
