Mailing List Archive

Pdf.Phishing.CWS4c384287-9890237-0
Can someone explain what the classification "Pdf.Phishing.CWS4c384287-9890237-0" means? I assume it has something to do with a link found in a document. However, we've had several of these lately and I can't see anything wrong with the documents. We're using clamav with OPSWAT Metadefender, integrated into a Web site. Each document that is uploaded is scanned by the platform and clamav is the only engine finding problems with the documents in question. I have already submitted a sample document as a false positive, but have not heard back yet. I was hoping to get more info here as to what Pdf.Phishing.CWS4c384287-9890237-0" means.



Here are some details for our clamav environment:

VERSION

0.102.4-810

DATABASE VERSION

1631145600

DEFINITION UPDATES

Up to date (up to date )
Re: Pdf.Phishing.CWS4c384287-9890237-0 [ In reply to ]
Dan,



You can use sigtool:

#sigtool --find-sigs Pdf.Phishing.CWS4c384287-9890237-0 | sigtool
--decode-sigs



Looks like a cmap definition so a definition of character sets to Unicode.

Could definitely be a false positive, send samples to
https://www.clamav.net/reports/fp



Sincerely,



Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300



From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of Dan
Jaap via clamav-users
Sent: Friday, September 10, 2021 12:31 PM
To: clamav-users@lists.clamav.net
Cc: Dan Jaap <djaap@flclerks.com>
Subject: [clamav-users] Pdf.Phishing.CWS4c384287-9890237-0



Can someone explain what the classification
"Pdf.Phishing.CWS4c384287-9890237-0" means? I assume it has something to do
with a link found in a document. However, we've had several of these lately
and I can't see anything wrong with the documents. We're using clamav with
OPSWAT Metadefender, integrated into a Web site. Each document that is
uploaded is scanned by the platform and clamav is the only engine finding
problems with the documents in question. I have already submitted a sample
document as a false positive, but have not heard back yet. I was hoping to
get more info here as to what Pdf.Phishing.CWS4c384287-9890237-0" means.



Here are some details for our clamav environment:

VERSION

0.102.4-810

DATABASE VERSION

1631145600

DEFINITION UPDATES

Up to date (up to date )
Re: Pdf.Phishing.CWS4c384287-9890237-0 [ In reply to ]
Hi Dan!

Thank you for bringing this to our attention. From a quick check of some of
the samples alerting with this signature it does seem like it could be
causing FPs. The signature will be dropped for now.

Best regards,

Lilia Gonzalez
Malware Research Team
Cisco Talos

On Fri, Sep 10, 2021 at 12:44 PM <eric-list@truenet.com> wrote:

> Dan,
>
>
>
> You can use sigtool:
>
> #sigtool --find-sigs Pdf.Phishing.CWS4c384287-9890237-0 | sigtool
> --decode-sigs
>
>
>
> Looks like a cmap definition so a definition of character sets to Unicode.
>
> Could definitely be a false positive, send samples to
> https://www.clamav.net/reports/fp
>
>
>
> Sincerely,
>
>
>
> Eric Tykwinski
>
> TrueNet, Inc.
>
> P: 610-429-8300
>
>
>
> *From:* clamav-users <clamav-users-bounces@lists.clamav.net> *On Behalf
> Of *Dan Jaap via clamav-users
> *Sent:* Friday, September 10, 2021 12:31 PM
> *To:* clamav-users@lists.clamav.net
> *Cc:* Dan Jaap <djaap@flclerks.com>
> *Subject:* [clamav-users] Pdf.Phishing.CWS4c384287-9890237-0
>
>
>
> Can someone explain what the classification
> “Pdf.Phishing.CWS4c384287-9890237-0” means? I assume it has something to
> do with a link found in a document. However, we’ve had several of these
> lately and I can’t see anything wrong with the documents. We’re using
> clamav with OPSWAT Metadefender, integrated into a Web site. Each document
> that is uploaded is scanned by the platform and clamav is the only engine
> finding problems with the documents in question. I have already submitted
> a sample document as a false positive, but have not heard back yet. I was
> hoping to get more info here as to what Pdf.Phishing.CWS4c384287-9890237-0”
> means.
>
>
>
> Here are some details for our clamav environment:
>
> VERSION
>
> 0.102.4-810
>
> DATABASE VERSION
>
> 1631145600
>
> DEFINITION UPDATES
>
> Up to date (up to date )
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>