Mailing List Archive

Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd
Hi,
since this morning daily signature update 23337
and even with the latest one 23338
my amavis flags some emails with PDF attachments as virus:
Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND

Checking the PDF with other AVs and even with clamscan (on the same
server) results in a clean file:

beppe@thot:/tmp$ clamscan TCA.pdf
TCA.pdf: OK

----------- SCAN SUMMARY -----------
Known viruses: 6272759
Engine version: 0.99.2
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.22 MB
Data read: 0.08 MB (ratio 2.71:1)
Time: 17.277 sec (0 m 17 s)

if I check the file with clamdscan I get the virus found:
beppe@thot:/tmp$ clamdscan TCA.pdf
/tmp/TCA.pdf: Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.032 sec (0 m 0 s)

Any hints on how to solve the problem?

Thanks
Giuseppe
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd [ In reply to ]
I have the same problem, and already submitted a false positive report.
In our case it was a signad pdf, so I suspect that the signature makes
it FP. But I have no idea how to work around it now. Maybe disable pdf
scanning?

On 04/28/17 16:47, Giuseppe Ravasio wrote:
> Hi,
> since this morning daily signature update 23337
> and even with the latest one 23338
> my amavis flags some emails with PDF attachments as virus:
> Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
>
> Checking the PDF with other AVs and even with clamscan (on the same
> server) results in a clean file:
>
> beppe@thot:/tmp$ clamscan TCA.pdf
> TCA.pdf: OK
>
> ----------- SCAN SUMMARY -----------
> Known viruses: 6272759
> Engine version: 0.99.2
> Scanned directories: 0
> Scanned files: 1
> Infected files: 0
> Data scanned: 0.22 MB
> Data read: 0.08 MB (ratio 2.71:1)
> Time: 17.277 sec (0 m 17 s)
>
> if I check the file with clamdscan I get the virus found:
> beppe@thot:/tmp$ clamdscan TCA.pdf
> /tmp/TCA.pdf: Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
>
> ----------- SCAN SUMMARY -----------
> Infected files: 1
> Time: 0.032 sec (0 m 0 s)
>
> Any hints on how to solve the problem?
>
> Thanks
> Giuseppe
> _______________________________________________
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>


_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd [ In reply to ]
Thanks for the reports. We'll be modifying the signature.

In the interim, I've dropped the current signature.

On Fri, Apr 28, 2017 at 11:01 AM, Vladislav Kurz <vladislav.kurz@webstep.net
> wrote:

> I have the same problem, and already submitted a false positive report.
> In our case it was a signad pdf, so I suspect that the signature makes
> it FP. But I have no idea how to work around it now. Maybe disable pdf
> scanning?
>
> On 04/28/17 16:47, Giuseppe Ravasio wrote:
> > Hi,
> > since this morning daily signature update 23337
> > and even with the latest one 23338
> > my amavis flags some emails with PDF attachments as virus:
> > Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
> >
> > Checking the PDF with other AVs and even with clamscan (on the same
> > server) results in a clean file:
> >
> > beppe@thot:/tmp$ clamscan TCA.pdf
> > TCA.pdf: OK
> >
> > ----------- SCAN SUMMARY -----------
> > Known viruses: 6272759
> > Engine version: 0.99.2
> > Scanned directories: 0
> > Scanned files: 1
> > Infected files: 0
> > Data scanned: 0.22 MB
> > Data read: 0.08 MB (ratio 2.71:1)
> > Time: 17.277 sec (0 m 17 s)
> >
> > if I check the file with clamdscan I get the virus found:
> > beppe@thot:/tmp$ clamdscan TCA.pdf
> > /tmp/TCA.pdf: Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
> >
> > ----------- SCAN SUMMARY -----------
> > Infected files: 1
> > Time: 0.032 sec (0 m 0 s)
> >
> > Any hints on how to solve the problem?
> >
> > Thanks
> > Giuseppe
> > _______________________________________________
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
>
>
> _______________________________________________
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>



--
--
Christopher Marczewski
Research Engineer
Talos Group
cmarczewski@sourcefire.com
Phone: 443.832.2975
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd [ In reply to ]
Hello,

did you really drop the signature?

During the weekend scan (clamscan), we got 45 false positives. According
to file names, they seem to be signed official PDF documents from goverment.

On 04/28/17 17:16, Christopher Marczewski wrote:
> Thanks for the reports. We'll be modifying the signature.
>
> In the interim, I've dropped the current signature.
>
> On Fri, Apr 28, 2017 at 11:01 AM, Vladislav Kurz <vladislav.kurz@webstep.net
>> wrote:
>
>> I have the same problem, and already submitted a false positive report.
>> In our case it was a signad pdf, so I suspect that the signature makes
>> it FP. But I have no idea how to work around it now. Maybe disable pdf
>> scanning?
>>
>> On 04/28/17 16:47, Giuseppe Ravasio wrote:
>>> Hi,
>>> since this morning daily signature update 23337
>>> and even with the latest one 23338
>>> my amavis flags some emails with PDF attachments as virus:
>>> Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
>>>
>>> Checking the PDF with other AVs and even with clamscan (on the same
>>> server) results in a clean file:
>>>
>>> beppe@thot:/tmp$ clamscan TCA.pdf
>>> TCA.pdf: OK
>>>
>>> ----------- SCAN SUMMARY -----------
>>> Known viruses: 6272759
>>> Engine version: 0.99.2
>>> Scanned directories: 0
>>> Scanned files: 1
>>> Infected files: 0
>>> Data scanned: 0.22 MB
>>> Data read: 0.08 MB (ratio 2.71:1)
>>> Time: 17.277 sec (0 m 17 s)
>>>
>>> if I check the file with clamdscan I get the virus found:
>>> beppe@thot:/tmp$ clamdscan TCA.pdf
>>> /tmp/TCA.pdf: Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
>>>
>>> ----------- SCAN SUMMARY -----------
>>> Infected files: 1
>>> Time: 0.032 sec (0 m 0 s)
>>>
>>> Any hints on how to solve the problem?
>>>
>>> Thanks
>>> Giuseppe
>>> _______________________________________________
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml
>>>
>>
>>
>> _______________________________________________
>> clamav-users mailing list
>> clamav-users@lists.clamav.net
>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>> http://www.clamav.net/contact.html#ml
>>
>
>
>


--
S pozdravem
Vladislav Kurz

Centr?la: Celn? 17/5, 63900 Brno, CZ
Web: http://www.webstep.net
E-Mail: podpora@webstep.net
Tel: 840 840 700, +420 548 214 711
Obchodn? podm?nky: https://zkrat.to/op
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd [ In reply to ]
It never appeared on a daily as being dropped, but when I checked on Saturday and again just now, I can't find it:

> $ sigtool --find Pdf.Exploit.CVE_2017_3039-6300177-0
> $

I don't think it is related, but there was an issue with DNS that stopped all updates after 23343 late Saturday until mid morning Monday Pacific Time.

-Al-

On Tue, May 02, 2017 at 12:27 AM, Vladislav Kurz wrote:
>
> Hello,
>
> did you really drop the signature?
>
> During the weekend scan (clamscan), we got 45 false positives. According
> to file names, they seem to be signed official PDF documents from goverment.
>
> On 04/28/17 17:16, Christopher Marczewski wrote:
>> Thanks for the reports. We'll be modifying the signature.
>>
>> In the interim, I've dropped the current signature.
>>
>> On Fri, Apr 28, 2017 at 11:01 AM, Vladislav Kurz <vladislav.kurz@webstep.net
>>> wrote:
>>
>>> I have the same problem, and already submitted a false positive report.
>>> In our case it was a signad pdf, so I suspect that the signature makes
>>> it FP. But I have no idea how to work around it now. Maybe disable pdf
>>> scanning?
>>>
>>> On 04/28/17 16:47, Giuseppe Ravasio wrote:
>>>> Hi,
>>>> since this morning daily signature update 23337
>>>> and even with the latest one 23338
>>>> my amavis flags some emails with PDF attachments as virus:
>>>> Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
>>>>
>>>> Checking the PDF with other AVs and even with clamscan (on the same
>>>> server) results in a clean file:
>>>>
>>>> beppe@thot:/tmp$ clamscan TCA.pdf
>>>> TCA.pdf: OK
>>>>
>>>> ----------- SCAN SUMMARY -----------
>>>> Known viruses: 6272759
>>>> Engine version: 0.99.2
>>>> Scanned directories: 0
>>>> Scanned files: 1
>>>> Infected files: 0
>>>> Data scanned: 0.22 MB
>>>> Data read: 0.08 MB (ratio 2.71:1)
>>>> Time: 17.277 sec (0 m 17 s)
>>>>
>>>> if I check the file with clamdscan I get the virus found:
>>>> beppe@thot:/tmp$ clamdscan TCA.pdf
>>>> /tmp/TCA.pdf: Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
>>>>
>>>> ----------- SCAN SUMMARY -----------
>>>> Infected files: 1
>>>> Time: 0.032 sec (0 m 0 s)
>>>>
>>>> Any hints on how to solve the problem?
>>>>
>>>> Thanks
>>>> Giuseppe
>>>> _______________________________________________
>>>> clamav-users mailing list
>>>> clamav-users@lists.clamav.net
>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>>>
>>>>
>>>> Help us build a comprehensive ClamAV guide:
>>>> https://github.com/vrtadmin/clamav-faq
>>>>
>>>> http://www.clamav.net/contact.html#ml
>>>>
>>>
>>>
>>> _______________________________________________
>>> clamav-users mailing list
>>> clamav-users@lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>>
>>>
>>> Help us build a comprehensive ClamAV guide:
>>> https://github.com/vrtadmin/clamav-faq
>>>
>>> http://www.clamav.net/contact.html#ml

-Al-
--
Al Varnell
Mountain View, CA
Re: Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd [ In reply to ]
I see there is an rewrite in daily 23349 that just posted:

> VIRUS NAME: Pdf.Exploit.CVE_2017_3039-6300177-2
> TDB: Engine:81-255,Target:10
> LOGICAL EXPRESSION: 0&1&2=0
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> /Adobe.PPKLite/Location{WILDCARD_ANY_STRING(LENGTH<=290)}/SubFilter
> * SUBSIG ID 1
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> /Sig
> * SUBSIG ID 2
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> +-> TRIGGER: 0&1
> +-> REGEX: \x2fSubFilter(.{0,50})\x2fadbe\x2e(.{1,20})\x2fType\s*\x2fSig
> +-> CFLAGS: sm

-Al-

On Tue, May 02, 2017 at 12:38 AM, Al Varnell wrote:
>
> It never appeared on a daily as being dropped, but when I checked on Saturday and again just now, I can't find it:
>
>> $ sigtool --find Pdf.Exploit.CVE_2017_3039-6300177-0
>> $
>
> I don't think it is related, but there was an issue with DNS that stopped all updates after 23343 late Saturday until mid morning Monday Pacific Time.
>
> -Al-
>
> On Tue, May 02, 2017 at 12:27 AM, Vladislav Kurz wrote:
>>
>> Hello,
>>
>> did you really drop the signature?
>>
>> During the weekend scan (clamscan), we got 45 false positives. According
>> to file names, they seem to be signed official PDF documents from goverment.
>>
>> On 04/28/17 17:16, Christopher Marczewski wrote:
>>> Thanks for the reports. We'll be modifying the signature.
>>>
>>> In the interim, I've dropped the current signature.
>>>
>>> On Fri, Apr 28, 2017 at 11:01 AM, Vladislav Kurz <vladislav.kurz@webstep.net
>>>> wrote:
>>>
>>>> I have the same problem, and already submitted a false positive report.
>>>> In our case it was a signad pdf, so I suspect that the signature makes
>>>> it FP. But I have no idea how to work around it now. Maybe disable pdf
>>>> scanning?
>>>>
>>>> On 04/28/17 16:47, Giuseppe Ravasio wrote:
>>>>> Hi,
>>>>> since this morning daily signature update 23337
>>>>> and even with the latest one 23338
>>>>> my amavis flags some emails with PDF attachments as virus:
>>>>> Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
>>>>>
>>>>> Checking the PDF with other AVs and even with clamscan (on the same
>>>>> server) results in a clean file:
>>>>>
>>>>> beppe@thot:/tmp$ clamscan TCA.pdf
>>>>> TCA.pdf: OK
>>>>>
>>>>> ----------- SCAN SUMMARY -----------
>>>>> Known viruses: 6272759
>>>>> Engine version: 0.99.2
>>>>> Scanned directories: 0
>>>>> Scanned files: 1
>>>>> Infected files: 0
>>>>> Data scanned: 0.22 MB
>>>>> Data read: 0.08 MB (ratio 2.71:1)
>>>>> Time: 17.277 sec (0 m 17 s)
>>>>>
>>>>> if I check the file with clamdscan I get the virus found:
>>>>> beppe@thot:/tmp$ clamdscan TCA.pdf
>>>>> /tmp/TCA.pdf: Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
>>>>>
>>>>> ----------- SCAN SUMMARY -----------
>>>>> Infected files: 1
>>>>> Time: 0.032 sec (0 m 0 s)
>>>>>
>>>>> Any hints on how to solve the problem?
>>>>>
>>>>> Thanks
>>>>> Giuseppe
>>>>> _______________________________________________
>>>>> clamav-users mailing list
>>>>> clamav-users@lists.clamav.net
>>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>>>>
>>>>>
>>>>> Help us build a comprehensive ClamAV guide:
>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>
>>>>> http://www.clamav.net/contact.html#ml
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> clamav-users mailing list
>>>> clamav-users@lists.clamav.net
>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>>>
>>>>
>>>> Help us build a comprehensive ClamAV guide:
>>>> https://github.com/vrtadmin/clamav-faq
>>>>
>>>> http://www.clamav.net/contact.html#ml
>
> -Al-

-Al-
--
Al Varnell
Mountain View, CA
Re: Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd [ In reply to ]
Hi,

I'm now getting some other signed pdf matched by
Pdf.Exploit.CVE_2017_3039-6300177-2

As with the Pdf.Exploit.CVE_2017_3039-6300177-0 it only happens using
the daemon and not clamscan.

Regards
Giuseppe

Il 02/05/2017 09:46, Al Varnell ha scritto:
> I see there is an rewrite in daily 23349 that just posted:
>
>> VIRUS NAME: Pdf.Exploit.CVE_2017_3039-6300177-2
>> TDB: Engine:81-255,Target:10
>> LOGICAL EXPRESSION: 0&1&2=0
>> * SUBSIG ID 0
>> +-> OFFSET: ANY
>> +-> SIGMOD: NONE
>> +-> DECODED SUBSIGNATURE:
>> /Adobe.PPKLite/Location{WILDCARD_ANY_STRING(LENGTH<=290)}/SubFilter
>> * SUBSIG ID 1
>> +-> OFFSET: ANY
>> +-> SIGMOD: NONE
>> +-> DECODED SUBSIGNATURE:
>> /Sig
>> * SUBSIG ID 2
>> +-> OFFSET: ANY
>> +-> SIGMOD: NONE
>> +-> DECODED SUBSIGNATURE:
>> +-> TRIGGER: 0&1
>> +-> REGEX: \x2fSubFilter(.{0,50})\x2fadbe\x2e(.{1,20})\x2fType\s*\x2fSig
>> +-> CFLAGS: sm
>
> -Al-
>
> On Tue, May 02, 2017 at 12:38 AM, Al Varnell wrote:
>>
>> It never appeared on a daily as being dropped, but when I checked on Saturday and again just now, I can't find it:
>>
>>> $ sigtool --find Pdf.Exploit.CVE_2017_3039-6300177-0
>>> $
>>
>> I don't think it is related, but there was an issue with DNS that stopped all updates after 23343 late Saturday until mid morning Monday Pacific Time.
>>
>> -Al-
>>
>> On Tue, May 02, 2017 at 12:27 AM, Vladislav Kurz wrote:
>>>
>>> Hello,
>>>
>>> did you really drop the signature?
>>>
>>> During the weekend scan (clamscan), we got 45 false positives. According
>>> to file names, they seem to be signed official PDF documents from goverment.
>>>
>>> On 04/28/17 17:16, Christopher Marczewski wrote:
>>>> Thanks for the reports. We'll be modifying the signature.
>>>>
>>>> In the interim, I've dropped the current signature.
>>>>
>>>> On Fri, Apr 28, 2017 at 11:01 AM, Vladislav Kurz <vladislav.kurz@webstep.net
>>>>> wrote:
>>>>
>>>>> I have the same problem, and already submitted a false positive report.
>>>>> In our case it was a signad pdf, so I suspect that the signature makes
>>>>> it FP. But I have no idea how to work around it now. Maybe disable pdf
>>>>> scanning?
>>>>>
>>>>> On 04/28/17 16:47, Giuseppe Ravasio wrote:
>>>>>> Hi,
>>>>>> since this morning daily signature update 23337
>>>>>> and even with the latest one 23338
>>>>>> my amavis flags some emails with PDF attachments as virus:
>>>>>> Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
>>>>>>
>>>>>> Checking the PDF with other AVs and even with clamscan (on the same
>>>>>> server) results in a clean file:
>>>>>>
>>>>>> beppe@thot:/tmp$ clamscan TCA.pdf
>>>>>> TCA.pdf: OK
>>>>>>
>>>>>> ----------- SCAN SUMMARY -----------
>>>>>> Known viruses: 6272759
>>>>>> Engine version: 0.99.2
>>>>>> Scanned directories: 0
>>>>>> Scanned files: 1
>>>>>> Infected files: 0
>>>>>> Data scanned: 0.22 MB
>>>>>> Data read: 0.08 MB (ratio 2.71:1)
>>>>>> Time: 17.277 sec (0 m 17 s)
>>>>>>
>>>>>> if I check the file with clamdscan I get the virus found:
>>>>>> beppe@thot:/tmp$ clamdscan TCA.pdf
>>>>>> /tmp/TCA.pdf: Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
>>>>>>
>>>>>> ----------- SCAN SUMMARY -----------
>>>>>> Infected files: 1
>>>>>> Time: 0.032 sec (0 m 0 s)
>>>>>>
>>>>>> Any hints on how to solve the problem?
>>>>>>
>>>>>> Thanks
>>>>>> Giuseppe
>>>>>> _______________________________________________
>>>>>> clamav-users mailing list
>>>>>> clamav-users@lists.clamav.net
>>>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>>>>>
>>>>>>
>>>>>> Help us build a comprehensive ClamAV guide:
>>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>>
>>>>>> http://www.clamav.net/contact.html#ml
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> clamav-users mailing list
>>>>> clamav-users@lists.clamav.net
>>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>>>>>
>>>>>
>>>>> Help us build a comprehensive ClamAV guide:
>>>>> https://github.com/vrtadmin/clamav-faq
>>>>>
>>>>> http://www.clamav.net/contact.html#ml
>>
>> -Al-
>
> -Al-
>
>
>
> _______________________________________________
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Pdf.Exploit.CVE_2017_3039-6300177-0 only with clamd [ In reply to ]
I do see a few alerts for Pdf.Exploit.CVE_2017_3039-6300177-2 on
VirusTotal, too.

We'll be dropping the signature again & examining further.

On Tue, May 2, 2017 at 8:24 AM, Giuseppe Ravasio <
giuseppe_ravasio@ch.modiano.com> wrote:

> Hi,
>
> I'm now getting some other signed pdf matched by
> Pdf.Exploit.CVE_2017_3039-6300177-2
>
> As with the Pdf.Exploit.CVE_2017_3039-6300177-0 it only happens using
> the daemon and not clamscan.
>
> Regards
> Giuseppe
>
> Il 02/05/2017 09:46, Al Varnell ha scritto:
> > I see there is an rewrite in daily 23349 that just posted:
> >
> >> VIRUS NAME: Pdf.Exploit.CVE_2017_3039-6300177-2
> >> TDB: Engine:81-255,Target:10
> >> LOGICAL EXPRESSION: 0&1&2=0
> >> * SUBSIG ID 0
> >> +-> OFFSET: ANY
> >> +-> SIGMOD: NONE
> >> +-> DECODED SUBSIGNATURE:
> >> /Adobe.PPKLite/Location{WILDCARD_ANY_STRING(LENGTH<=290)}/SubFilter
> >> * SUBSIG ID 1
> >> +-> OFFSET: ANY
> >> +-> SIGMOD: NONE
> >> +-> DECODED SUBSIGNATURE:
> >> /Sig
> >> * SUBSIG ID 2
> >> +-> OFFSET: ANY
> >> +-> SIGMOD: NONE
> >> +-> DECODED SUBSIGNATURE:
> >> +-> TRIGGER: 0&1
> >> +-> REGEX: \x2fSubFilter(.{0,50})\x2fadbe\x2e(.{1,20})\x2fType\
> s*\x2fSig
> >> +-> CFLAGS: sm
> >
> > -Al-
> >
> > On Tue, May 02, 2017 at 12:38 AM, Al Varnell wrote:
> >>
> >> It never appeared on a daily as being dropped, but when I checked on
> Saturday and again just now, I can't find it:
> >>
> >>> $ sigtool --find Pdf.Exploit.CVE_2017_3039-6300177-0
> >>> $
> >>
> >> I don't think it is related, but there was an issue with DNS that
> stopped all updates after 23343 late Saturday until mid morning Monday
> Pacific Time.
> >>
> >> -Al-
> >>
> >> On Tue, May 02, 2017 at 12:27 AM, Vladislav Kurz wrote:
> >>>
> >>> Hello,
> >>>
> >>> did you really drop the signature?
> >>>
> >>> During the weekend scan (clamscan), we got 45 false positives.
> According
> >>> to file names, they seem to be signed official PDF documents from
> goverment.
> >>>
> >>> On 04/28/17 17:16, Christopher Marczewski wrote:
> >>>> Thanks for the reports. We'll be modifying the signature.
> >>>>
> >>>> In the interim, I've dropped the current signature.
> >>>>
> >>>> On Fri, Apr 28, 2017 at 11:01 AM, Vladislav Kurz <
> vladislav.kurz@webstep.net
> >>>>> wrote:
> >>>>
> >>>>> I have the same problem, and already submitted a false positive
> report.
> >>>>> In our case it was a signad pdf, so I suspect that the signature
> makes
> >>>>> it FP. But I have no idea how to work around it now. Maybe disable
> pdf
> >>>>> scanning?
> >>>>>
> >>>>> On 04/28/17 16:47, Giuseppe Ravasio wrote:
> >>>>>> Hi,
> >>>>>> since this morning daily signature update 23337
> >>>>>> and even with the latest one 23338
> >>>>>> my amavis flags some emails with PDF attachments as virus:
> >>>>>> Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
> >>>>>>
> >>>>>> Checking the PDF with other AVs and even with clamscan (on the same
> >>>>>> server) results in a clean file:
> >>>>>>
> >>>>>> beppe@thot:/tmp$ clamscan TCA.pdf
> >>>>>> TCA.pdf: OK
> >>>>>>
> >>>>>> ----------- SCAN SUMMARY -----------
> >>>>>> Known viruses: 6272759
> >>>>>> Engine version: 0.99.2
> >>>>>> Scanned directories: 0
> >>>>>> Scanned files: 1
> >>>>>> Infected files: 0
> >>>>>> Data scanned: 0.22 MB
> >>>>>> Data read: 0.08 MB (ratio 2.71:1)
> >>>>>> Time: 17.277 sec (0 m 17 s)
> >>>>>>
> >>>>>> if I check the file with clamdscan I get the virus found:
> >>>>>> beppe@thot:/tmp$ clamdscan TCA.pdf
> >>>>>> /tmp/TCA.pdf: Pdf.Exploit.CVE_2017_3039-6300177-0 FOUND
> >>>>>>
> >>>>>> ----------- SCAN SUMMARY -----------
> >>>>>> Infected files: 1
> >>>>>> Time: 0.032 sec (0 m 0 s)
> >>>>>>
> >>>>>> Any hints on how to solve the problem?
> >>>>>>
> >>>>>> Thanks
> >>>>>> Giuseppe
> >>>>>> _______________________________________________
> >>>>>> clamav-users mailing list
> >>>>>> clamav-users@lists.clamav.net
> >>>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >>>>>>
> >>>>>>
> >>>>>> Help us build a comprehensive ClamAV guide:
> >>>>>> https://github.com/vrtadmin/clamav-faq
> >>>>>>
> >>>>>> http://www.clamav.net/contact.html#ml
> >>>>>>
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> clamav-users mailing list
> >>>>> clamav-users@lists.clamav.net
> >>>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >>>>>
> >>>>>
> >>>>> Help us build a comprehensive ClamAV guide:
> >>>>> https://github.com/vrtadmin/clamav-faq
> >>>>>
> >>>>> http://www.clamav.net/contact.html#ml
> >>
> >> -Al-
> >
> > -Al-
> >
> >
> >
> > _______________________________________________
> > clamav-users mailing list
> > clamav-users@lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/vrtadmin/clamav-faq
> >
> > http://www.clamav.net/contact.html#ml
> >
> _______________________________________________
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>



--
--
Christopher Marczewski
Research Engineer
Talos Group
cmarczewski@sourcefire.com
Phone: 443.832.2975
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml