On 10.10.2023 13:32, Tsutomu Oyamada wrote:
Hi, all
We received following report from one of our users.
The user is uisng Clamd0.103 on AIX7,2.
When clamd with the option "ArchiveBlockEncrypted" ON scans a specifc PDF which is locked
for editing, it is detected as "Heuristics.Encrypted.PDF FOUND".
https://github.com/Cisco-Talos/clamav/issues/770
$ pdf-parser.py -o 40 214-230137_01_006.pdf
obj 40 0
Type:
Referencing:
<<
/EncryptMetadata true
/P -1852
/U
<<
/StdCF
<<
/Type /CryptFilter
/Length 16
/AuthEvent /DocOpen
/CFM /AESV2
>>
>>
/Length 128
/V 4
/Filter /Standard
>>
The PDF is locked for editing, but not locked for viewing.
The PDF file can be found at the following URL.
https://www.promark-inc.com/dl/temp/214-230137_01_006.pdf
It looks like the same behavior when clamd scans a PDF which is locked for
viewing.
The log is as follows;
Fri Sep 29 14:35:33 2023 -> /home/user/214-230137_01_006.pdf:
Heuristics.Encrypted.PDF(52d94f1cc9d57e3b350c4cec85c68387:222005) FOUND
We could reproduce the behavior on our test environment, clamd daemon 1.0.2
(OS: Linux, ARCH: x86_64, CPU: x86_64).
Could you tell us how to fix it to scan that PDF properly?
T.O
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
_______________________________________________
Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation
https://docs.clamav.net/#mailing-lists-and-chat
