Andreas is probably correct. This signature does appear to be problematic. Detections only recently started to appear because of changes in 0.103.1 to properly handle TIFF files. The signature wasn’t working in prior clamav versions because TIFF file type detection was missing from the daily database. We only discovered the file type detection signatures for TIFF were missing when fixing up the TIFF format verification module. And we didn’t know it was missing at the time the signature was published.
Anyhow, we dropped this signature about an hour ago. It should disappear in the next daily database version. Thanks for the FP report Andreas. -Micah From: clamav-users <clamav-users-boun...@lists.clamav.net> On Behalf Of Al Varnell via clamav-users Sent: Friday, May 7, 2021 4:04 AM To: ClamAV users ML <clamav-users@lists.clamav.net> Cc: Al Varnell <alvarn...@mac.com> Subject: Re: [clamav-users] State of false-positive message evaluation for Img.Exploit.CVE_2017_3049-6268090-0 One additional note. That signature has been in the ClamAV.ldb database since 19 Apr 2017 back when first defined, making it relatively unlikely to be a false positive at this point in time. Also note from the CVE-2017-3049 detail <https://nvd.nist.gov/vuln/detail/CVE-2017-3049> that it was at the time considered to be a High threat to Adobe Acrobat Reader versions back then. I'm certain that Adobe has eliminated the threat by now in modern versions, but that doesn't render any exploit as a false positive since it could still be used to target users who still need to run those older applications for economic or other reasons. -Al- [Image removed by sender.] Powered by Mailbutler<https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-essential-email>, the email extension that does it all On May 7, 2021, at 00:59, Al Varnell <alvarn...@mac.com<mailto:alvarn...@mac.com>> wrote: Prof Rulle, I believe you mean a false positive, don't you? A false negative would be a failure to report, but clearly ClamAV does detect this. The proper way to report this would be to file a False Positive Report here: <https://www.clamav.net/reports/fp>. If you can also provide a hash value of file in question back here, that might speed up the process. Simply verifying one of these hash values from the VirusTotal report will work: MD5 04267b6af9a1bad85d5cd6aecb1e4d28 SHA-1 cf7d73066f921fc7101c06aebc5e090cebffd2b2 SHA-256 7563a2b175d3c48069960e0290ac08e3f379cd74307e44c995df52d5dc6fc002 [Image removed by sender.] Powered by Mailbutler<https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-essential-email>, the email extension that does it all -Al- ClamXAV User On May 6, 2021, at 23:46, Andreas Rulle <andreas.ru...@itek.de<mailto:andreas.ru...@itek.de>> wrote: Hi, thank you for your great service to internet security! A false negative report has been issued this week for Img.Exploit.CVE_2017_3049-6268090-0, see also the virus total report under [1]. The issue has to be handled under the General Data Protection Regulation (GDPR). Therefore I would politely like to ask for the evaluation state of that false negative report. Thanks in advance for your kind response. [1] https://www.virustotal.com/gui/file/7563a2b175d3c48069960e0290ac08e3f379cd74307e44c995df52d5dc6fc002/detection -- P.S. Abonnieren Sie unseren Newsletter zu den aktuellen Themen der Standardisierung und IT-Lösungen in Ihrer Branche! https://www.itek.de/aktuelles/newsletter ITEK Technologie GmbH Technologiepark 14 33100 Paderborn Tel. +49 5251 / 16140 Fax +49 5251 / 161499 www.itek.de<http://www.itek.de/> mailto: Andreas ru...@itek.de<mailto:ru...@itek.de> Geschäftsführer: Prof. Dr. Uwe Kern Registergericht /-nummer: Paderborn / HRB 13522
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
