I see there is an rewrite in daily 23349 that just posted:
> VIRUS NAME: Pdf.Exploit.CVE_2017_3039-6300177-2
> TDB: Engine:81-255,Target:10
> LOGICAL EXPRESSION: 0&1&2=0
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> /Adobe.PPKLite/Location{WILDCARD_ANY_STRING(LENGTH<=290)}/SubFilter
> * SUBSIG ID 1
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> /Sig
> * SUBSIG ID 2
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> +-> TRIGGER: 0&1
> +-> REGEX: \x2fSubFilter(.{0,50})\x2fadbe\x2e(.{1,20})\x2fType\s*\x2fSig
> +-> CFLAGS: sm-Al- On Tue, May 02, 2017 at 12:38 AM, Al Varnell wrote: > > It never appeared on a daily as being dropped, but when I checked on Saturday > and again just now, I can't find it: > >> $ sigtool --find Pdf.Exploit.CVE_2017_3039-6300177-0 >> $ > > I don't think it is related, but there was an issue with DNS that stopped all > updates after 23343 late Saturday until mid morning Monday Pacific Time. > > -Al- > > On Tue, May 02, 2017 at 12:27 AM, Vladislav Kurz wrote: >> >> Hello, >> >> did you really drop the signature? >> >> During the weekend scan (clamscan), we got 45 false positives. According >> to file names, they seem to be signed official PDF documents from goverment. >> >> On 04/28/17 17:16, Christopher Marczewski wrote: >>> Thanks for the reports. We'll be modifying the signature. >>> >>> In the interim, I've dropped the current signature. >>> >>> On Fri, Apr 28, 2017 at 11:01 AM, Vladislav Kurz <vladislav.k...@webstep.net >>>> wrote: >>> >>>> I have the same problem, and already submitted a false positive report. >>>> In our case it was a signad pdf, so I suspect that the signature makes >>>> it FP. But I have no idea how to work around it now. Maybe disable pdf >>>> scanning? >>>> >>>> On 04/28/17 16:47, Giuseppe Ravasio wrote: >>>>> Hi, >>>>> since this morning daily signature update 23337 >>>>> and even with the latest one 23338 >>>>> my amavis flags some emails with PDF attachments as virus: >>>>> Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND >>>>> >>>>> Checking the PDF with other AVs and even with clamscan (on the same >>>>> server) results in a clean file: >>>>> >>>>> beppe@thot:/tmp$ clamscan TCA.pdf >>>>> TCA.pdf: OK >>>>> >>>>> ----------- SCAN SUMMARY ----------- >>>>> Known viruses: 6272759 >>>>> Engine version: 0.99.2 >>>>> Scanned directories: 0 >>>>> Scanned files: 1 >>>>> Infected files: 0 >>>>> Data scanned: 0.22 MB >>>>> Data read: 0.08 MB (ratio 2.71:1) >>>>> Time: 17.277 sec (0 m 17 s) >>>>> >>>>> if I check the file with clamdscan I get the virus found: >>>>> beppe@thot:/tmp$ clamdscan TCA.pdf >>>>> /tmp/TCA.pdf: Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND >>>>> >>>>> ----------- SCAN SUMMARY ----------- >>>>> Infected files: 1 >>>>> Time: 0.032 sec (0 m 0 s) >>>>> >>>>> Any hints on how to solve the problem? >>>>> >>>>> Thanks >>>>> Giuseppe >>>>> _______________________________________________ >>>>> clamav-users mailing list >>>>> clamav-users@lists.clamav.net >>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >>>>> >>>>> >>>>> Help us build a comprehensive ClamAV guide: >>>>> https://github.com/vrtadmin/clamav-faq >>>>> >>>>> http://www.clamav.net/contact.html#ml >>>>> >>>> >>>> >>>> _______________________________________________ >>>> clamav-users mailing list >>>> clamav-users@lists.clamav.net >>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users >>>> >>>> >>>> Help us build a comprehensive ClamAV guide: >>>> https://github.com/vrtadmin/clamav-faq >>>> >>>> http://www.clamav.net/contact.html#ml > > -Al- -Al- -- Al Varnell Mountain View, CA
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
