Mailing List Archive

On Sat, May 25, 2019 09:09, Karl Pielorz via clamav-users wrote:
>

> Hi All,
>
>
> Our system updated today:
>
>
> May 25 09:24:20 daily.cld updated (version: 25460, sigs: 1581004, f-level:
> 63, builder: raynman)
>
>
> (Time is BST - i.e. UTC+1)
>
>
>
> After that we saw a large number of viruses found - all detected as
> Win.Exploit.CVE_2019_0903-6966169-0

Same here with FreeBSD 11.1 and clamav-0.101.2. Yesterday 0, today several hundred so far.

Thanks for the heads up!

John



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

--On 25 May 2019 at 11:25:46 -0400 Tuffmail Support <support@tuffmail.com>
wrote:

> Same here with FreeBSD 11.1 and clamav-0.101.2. Yesterday 0, today
> several hundred so far.
>
> Thanks for the heads up!

Good to know I'm not the only one - but it'd be really handy to be able to
get freshclam to either keep the last 'n' signatures (i.e. older ones) - or
fetch older ones for the rare times this happens...

Looks like you can run a script after updates, and if they fail - but sadly
not before (i.e. no chance to do a DIY copy before update - incase we need
it back) - well, that I can see.

-Karl

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Seems like evry pdf-file is marked as infected by
Win.Exploit.CVE_2019_0903-6966169-0

I have put it into local.ign2 and restarted my clamd
hmk


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Appears to be a malformed hex string in 3rd logical expression:

* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
LibClamAV Error: cli_hex2ui(): Malformed hexstring: 1 (length: 1)
ERROR: Decoding failed (1): <<4#ib4#>0xB1B0AFBA)
ERROR: Decoding failed

-Al-

> On May 25, 2019, at 13:54, Hans Morten Kind via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Seems like evry pdf-file is marked as infected by
> Win.Exploit.CVE_2019_0903-6966169-0
>
> I have put it into local.ign2 and restarted my clamd
> hmk

Hi

Same here UK clamav with our mailcleaner

Every one of our backup pdfs are being marked with this even tho they have been fine for years

Prob a false positive

Regards

Simom

Sent from my iPhone

> On 25 May 2019, at 21:54, Hans Morten Kind via clamav-users <clamav-users@lists.clamav.net> wrote:
>
> Seems like evry pdf-file is marked as infected by
> Win.Exploit.CVE_2019_0903-6966169-0
>
> I have put it into local.ign2 and restarted my clamd
> hmk
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

We are having the same issue. Heaps of emails getting marked as Win.Exploit.CVE_2019_0903-6966169-0

Hopefully it will be fixed soon

Tim Figgins

Chief Technology Officer

Business Technology Group LTD

p: +64 9 950 2104 | m:+64 21 707 996 | tim@btg.co.nz<mailto:tim@btg.co.nz>

--On 25 May 2019 at 22:24:32 -0700 Al Varnell via clamav-users
<clamav-users@lists.clamav.net> wrote:

> Appears to be a malformed hex string in 3rd logical expression:
>
> * SUBSIG ID 2
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> LibClamAV Error: cli_hex2ui(): Malformed hexstring: 1 (length: 1)
> ERROR: Decoding failed (1): <<4#ib4#>0xB1B0AFBA)
> ERROR: Decoding failed

Good find - but bit disappointing if it is that - and it didn't get caught
(e.g. by QC etc. - malformed hex should really be caught?) - also, nothing
back from any devs about this? (though realising it was a weekend) - but it
looks like it could potentially affect 'everyone' :(

-Karl

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

I followed your advise as a temporary solution.

echo "Win.Exploit.CVE_2019_0903-6966169-0" >> (Location of clamav
Databases)/sig_whitelist.ign2

you may need to restart the daemon, if you are using it.

clamscan is now ok with pdfs.


On 25.05.19 22:54, Hans Morten Kind via clamav-users wrote:
> Seems like evry pdf-file is marked as infected by
> Win.Exploit.CVE_2019_0903-6966169-0
>
> I have put it into local.ign2 and restarted my clamd
> hmk
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>

On Mon, May 27, 2019 00:21, Tim Figgins wrote:
> We are having the same issue. Heaps of emails getting marked as Win.Exploit.CVE_2019_0903-6966169-0
>
>
> Hopefully it will be fixed soon

Daily.cld version: 25461 and up does not have the problem.

John



>
>
> Tim Figgins
>
>
> Chief Technology Officer
>
>
> Business Technology Group LTD
>
>
> p: +64 9 950 2104 | m:+64 21 707 996 | tim@btg.co.nz<mailto:tim@btg.co.nz>
>
>
> _______________________________________________
>
>
> clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
>
> http://www.clamav.net/contact.html#ml
>
>



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

I can confirm "Win.Exploit.CVE_2019_0903-6966169-0" false/positive is
fixed in 25462.

regards Sébastien

On 27.05.19 15:18, Support wrote:
> On Mon, May 27, 2019 00:21, Tim Figgins wrote:
>> We are having the same issue. Heaps of emails getting marked as Win.Exploit.CVE_2019_0903-6966169-0
>>
>>
>> Hopefully it will be fixed soon
> Daily.cld version: 25461 and up does not have the problem.
>
> John
>
>
>
>>
>> Tim Figgins
>>
>>
>> Chief Technology Officer
>>
>>
>> Business Technology Group LTD
>>
>>
>> p: +64 9 950 2104 | m:+64 21 707 996 | tim@btg.co.nz<mailto:tim@btg.co.nz>
>>
>>
>> _______________________________________________
>>
>>
>> clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users
>>
>>
>>
>> Help us build a comprehensive ClamAV guide:
>> https://github.com/vrtadmin/clamav-faq
>>
>>
>> http://www.clamav.net/contact.html#ml
>>
>>
>
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>