The signature is looking for just a few strings that appear to give no
indication whatsoever that a vulnerability is being exploited. I do not
understand why this signature was created or why it's taking to long to remove
it. I added it to a .ign2 file in our system to prevent further false positives
from occurring. Below is the signature and a breakdown of what it's looking for:
[daily.ldb]
Pdf.Exploit.CVE_2016_1091-2;Engine:81-255,Target:10;(0&1&2&3)&4;2F4F75746C696E6573;2F4163726F466F726D;2F506167654D6F64652F5573654F75746C696E6573;2F547970652F436174616C6F672F566965776572507265666572656E636573;0&1&2&3/\/Outlines
(?P<objid>\d+) 0 R(.*)(?!P=objid) 0 obj/smi
Strings:
$ echo 2F4F75746C696E6573 | xxd -r -p
/Outlines
$ echo 2F4163726F466F726D | xxd -r -p
/AcroForm
$ echo 2F506167654D6F64652F5573654F75746C696E6573 |pxxd -r -
/PageMode/UseOutlines
$ echo 2F547970652F436174616C6F672F566965776572507265666572656E636573 | xxd -r
-p
/Type/Catalog/ViewerPreferences
Regex:
/\/Outlines (?P<objid>\d+) 0 R(.*)(?!P=objid) 0 obj/smi
I've seen false positives for several other PDF signatures over the past few
months, too. Some were caused by signatures like this one, that do not seem to
correctly identify exploitation of a vulnerability, and others were hashes of
what appeared to be non-malicious PDF files. Unfortunately I do not have any
files that match these signatures available to share right now.
These two signatures have caused false positives for us, and ClamAV has since
removed them from their database:
[daily.ndb]
Pdf.Exploit.CVE_2016_4207-1:10:*:466F6E744E616D652F4142434445452B826C8272233230835383568362834E
Pdf.Malware.Agent-1806133 (I do not have a copy of this signature readily
available)
The following two signatures have also caused false positives for us, and are
still in the official ClamAV database:
[daily.ldb]
Pdf.Exploit.CVE_2016_3370-1;Engine:81-255,Target:10;1;2f4346{-60}2f417574684576656e742f446f634f70656e2f43464d{-10}5632{-20}2f4c656e677468;0/(\x2fCF.{2,60}\x2fAuthEvent\x2fDocOpen\x2fCFM.{2,10}V2.{0,20}\x2fLength\x20(1[7-9]|[2-9]\d|1\d{2}))/
[daily.hdb] 71dfd9f2a567c2172e530a8c1a97ece3:36378:Pdf.Malware.Agent-1765857
DH
----- Original Message -----
From: "Ralf Hildebrandt" <ralf.hildebra...@charite.de>
To: clamav-users@lists.clamav.net
Sent: Wednesday, November 30, 2016 6:26:44 AM
Subject: Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2
* Ralf Hildebrandt <ralf.hildebra...@charite.de>:
> * Al Varnell <alvarn...@mac.com>:
> >
> > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote:
> > >
> > > * Al Varnell <alvarn...@mac.com>:
> > >> Has anybody submitted a PDF yet?
> > >
> > > Of course.
> >
> > Hash?
>
> 8d62c398679ab6c7b85749eacf7a9a80
generated by md5sum
--
Ralf Hildebrandt Charite Universitätsmedizin Berlin
ralf.hildebra...@charite.de Campus Benjamin Franklin
http://www.charite.de Hindenburgdamm 30, 12203 Berlin
Geschäftsbereich IT, Abt. Netzwerk fon: +49-30-450.570.155
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
