Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Thanks for the feedback Jeff. -- Joel Esler | Talos: Manager | jes...@cisco.com On Nov 30, 2016, at 6:16 PM, Jeff Dyke mailto:jeff.d...@gmail.com>> wrote: Just a user or not Al, thanks for the quick update!! Also thank you to the folks that looked into this. I jus

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Just a user or not Al, thanks for the quick update!! Also thank you to the folks that looked into this. I just rescanned everything i posted after running freshclam and it checks out. Thanks for the efforts! On Wed, Nov 30, 2016 at 5:44 PM, Al Varnell wrote: > And the signature appears to have

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

And the signature appears to have been dropped in daily - 22632. -Al- On Wed, Nov 30, 2016 at 02:39 PM, Al Varnell wrote: > > Let me add a couple of things here. > > - This isn't my site, I'm just a fellow user trying to help get you an answer. > > - Normally, it isn't necessary to provide the

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Let me add a couple of things here. - This isn't my site, I'm just a fellow user trying to help get you an answer. - Normally, it isn't necessary to provide the hash for an FP submission unless you find a pressing need to discuss it on this list. As Joel said, it helps the team locate what we a

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

The team is working on this, as we speak. -- Joel Esler | Talos: Manager | jes...@cisco.com On Nov 30, 2016, at 10:23 AM, Jeff Dyke mailto:jeff.d...@gmail.com>> wrote: Thanks Joel and Al, hopefully my hashes, files and virustotal urls are helpful. Jeff On Wed, No

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Thanks Joel and Al, hopefully my hashes, files and virustotal urls are helpful. Jeff On Wed, Nov 30, 2016 at 10:21 AM, Joel Esler (jesler) wrote: > Gene, > > Al was simply asking, as he knows we may ask, and it helps us identify the > file faster. Otherwise we have to search through and look f

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Gene, Al was simply asking, as he knows we may ask, and it helps us identify the file faster. Otherwise we have to search through and look for the sender email, which, sometimes does not match up. -- Joel Esler | Talos: Manager | jes...@cisco.com On Nov 30, 2016

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

On Wednesday 30 November 2016 06:26:44 Ralf Hildebrandt wrote: > * Ralf Hildebrandt : > > * Al Varnell : > > > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > > > > * Al Varnell : > > > >> Has anybody submitted a PDF yet? > > > > > > > > Of course. > > > > > > Hash? > > > > 8d62c398679

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

On Wednesday 30 November 2016 05:50:07 Al Varnell wrote: > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > > * Al Varnell : > >> Has anybody submitted a PDF yet? > > > > Of course. > > Hash? > > -Al- Your site does not ask for a hash, nor does it specify how to obtain it. It asked fo

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

On Wednesday 30 November 2016 05:29:42 Al Varnell wrote: > Has anybody submitted a PDF yet? Normally, nothing can happen until > they have at least one example. Once somebody has a sample they are > allowed to submit, return here with a hash value of the submitted file > so they can expedite proce

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

I did, multiple. I submitted them again, plus new ones i have found since i first submitted sha256 - short file name - virus total url 52457b84faac951b961273cba7fe5f462e9edef14aee394f49981770eb75337e DCBPOS.pdf https://www.virustotal.com/en/file/52457b84faac951b961273cba7fe5f462e9edef14aee394f49

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

2.{0,20}\x2fLength\x20(1[7-9]|[2-9]\d|1\d{2}))/ [daily.hdb] 71dfd9f2a567c2172e530a8c1a97ece3:36378:Pdf.Malware.Agent-1765857 DH - Original Message - From: "Ralf Hildebrandt" To: clamav-users@lists.clamav.net Sent: Wednesday, November 30, 2016 6:26:44 AM Subject: Re: [clamav-user

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

* Ralf Hildebrandt : > * Al Varnell : > > > > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > > > > > > * Al Varnell : > > >> Has anybody submitted a PDF yet? > > > > > > Of course. > > > > Hash? > > 8d62c398679ab6c7b85749eacf7a9a80 generated by md5sum -- Ralf Hildebrandt

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

* Al Varnell : > > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > > > > * Al Varnell : > >> Has anybody submitted a PDF yet? > > > > Of course. > > Hash? 8d62c398679ab6c7b85749eacf7a9a80 -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

On Wed, November 30, 2016 10:50 am, Al Varnell wrote: > > On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > >> >> * Al Varnell : >> >>> Has anybody submitted a PDF yet? >>> >> >> Of course. >> > > Hash? Here's one example I saw in a forum... Source: http://www.ubuntu-es.org/node/19132

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

On Wed, Nov 30, 2016 at 02:33 AM, Ralf Hildebrandt wrote: > > * Al Varnell : >> Has anybody submitted a PDF yet? > > Of course. Hash? -Al- -- Al Varnell Mountain View, CA smime.p7s Description: S/MIME cryptographic signature ___ clamav-users

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

* Al Varnell : > Has anybody submitted a PDF yet? Of course. -- Ralf Hildebrandt Charite Universitätsmedizin Berlin ralf.hildebra...@charite.deCampus Benjamin Franklin http://www.charite.de Hindenburgdamm 30, 12203 Berlin Geschäftsbereich IT, Abt. Netzwerk

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Has anybody submitted a PDF yet? Normally, nothing can happen until they have at least one example. Once somebody has a sample they are allowed to submit, return here with a hash value of the submitted file so they can expedite processing. -Al- On Wed, Nov 30, 2016 at 02:26 AM, maxal wrote: >

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

hi, On Tue, 2016-11-29 at 15:46 -0500, Gene Heskett wrote: > On Tuesday 29 November 2016 11:53:03 Jeff Dyke wrote: > > > > > Is there any way to get updates on a false positives(i submitted > > this > > about a week or so ago), if it is or is not, i still find these. In > > my > > case they seem

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

On Tuesday 29 November 2016 11:53:03 Jeff Dyke wrote: > Is there any way to get updates on a false positives(i submitted this > about a week or so ago), if it is or is not, i still find these. In my > case they seem to be ok coming from the printer, but then a > non-technical person opens and save

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Is there any way to get updates on a false positives(i submitted this about a week or so ago), if it is or is not, i still find these. In my case they seem to be ok coming from the printer, but then a non-technical person opens and saves the file with a different name (rather than just rename it) w

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

I also submitted an FP a few days ago. I'm not as much of a fan of whitelisting what could be a fairly serious exploit that i'd be allowing people to download if it were valid. Hopefully it will be fixed up soon. The documents i found it in are public, so if there is way to expedite the process,

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Hello, Am 23.11.2016 um 16:10 schrieb Ralf Hildebrandt: * Hajo Locke : Hello, unfortunately we have some problems with FP Pdf.Exploit.CVE_2016_1091-2 Customer was testing at virustotal and only clamav is finding a virus. Unfortunately i can not do a FP-Report. All PDFs are property of costume

Re: [clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

* Hajo Locke : > Hello, > > unfortunately we have some problems with FP Pdf.Exploit.CVE_2016_1091-2 > Customer was testing at virustotal and only clamav is finding a virus. > Unfortunately i can not do a FP-Report. All PDFs are property of costumers > and not public. I already did a FP report. I

[clamav-users] FP Pdf.Exploit.CVE_2016_1091-2

Hello, unfortunately we have some problems with FP Pdf.Exploit.CVE_2016_1091-2 Customer was testing at virustotal and only clamav is finding a virus. Unfortunately i can not do a FP-Report. All PDFs are property of costumers and not public. I hope there are some additional FP-Reports from other