On Tue, 10 Oct 2023, Tsutomu Oyamada wrote:
Hi, all
We received following report from one of our users.
The user is uisng Clamd0.103 on AIX7,2.
When clamd with the option "ArchiveBlockEncrypted" ON scans a specifc PDF which is locked
for editing, it is detected as "Heuristics.Encrypted.PDF FOUND".
The PDF is locked for editing, but not locked for viewing.
The PDF file can be found at the following URL.
https://www.promark-inc.com/dl/temp/214-230137_01_006.pdf
It looks like the same behavior when clamd scans a PDF which is locked for
viewing.
The log is as follows;
Fri Sep 29 14:35:33 2023 -> /home/user/214-230137_01_006.pdf:
Heuristics.Encrypted.PDF(52d94f1cc9d57e3b350c4cec85c68387:222005) FOUND
With 0.103.9* and that setting in /etc/clamav/clamd.conf I get
WARNING: Using deprecated option "ArchiveBlockEncrypted" to alert on
encrypted archives _and_ documents. Please update your configuration
to use replacement options "AlertEncrypted", or "AlertEncryptedArchive"
and/or "AlertEncryptedDoc".
The command
clamscan --alert-encrypted=yes 214-230137_01_006.pdf
reports:
/tmp/werdna/214-230137_01_006.pdf: Heuristics.Encrypted.PDF FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8674592
Engine version: 0.103.9
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.21 MB (ratio 0.00:1)
Time: 14.174 sec (0 m 14 s)
Start Date: 2023:10:11 08:27:20
End Date: 2023:10:11 08:27:34
----
* I'm still waiting for Ubuntu to upgrade to 0.103.10 or better.
--
Andrew C. Aitchison Kendal, UK
and...@aitchison.me.uk
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
