Mailing List Archive

[clamav-users] State of false-positive message evaluation for Img.Exploit.CVE_2017_3049-6268090-0
Hi, thank you for your great service to internet security!

A false negative report has been issued this week for
Img.Exploit.CVE_2017_3049-6268090-0, see also the virus total report
under [1].

The issue has to be handled under the General Data Protection Regulation
(GDPR). Therefore I would politely like to ask for the evaluation state
of that false negative report.

Thanks in advance for your kind response.

[1]
https://www.virustotal.com/gui/file/7563a2b175d3c48069960e0290ac08e3f379cd74307e44c995df52d5dc6fc002/detection

--


P.S. Abonnieren Sie unseren Newsletter zu den aktuellen Themen der
Standardisierung und IT-Lösungen in Ihrer Branche!
https://www.itek.de/aktuelles/newsletter

-----

ITEK Technologie Logo

ITEK Technologie GmbH
Technologiepark 14
33100 Paderborn

Tel. +49 5251 / 16140
Fax +49 5251 / 161499
www.itek.de
mailto: Andreas Rulle@itek.de

Geschäftsführer: Prof. Dr. Uwe Kern
Registergericht /-nummer: Paderborn / HRB 13522
Re: [clamav-users] State of false-positive message evaluation for Img.Exploit.CVE_2017_3049-6268090-0 [ In reply to ]
Prof Rulle,

I believe you mean a false positive, don't you? A false negative would be a failure to report, but clearly ClamAV does detect this.

The proper way to report this would be to file a False Positive Report here: <https://www.clamav.net/reports/fp>. If you can also provide a hash value of file in question back here, that might speed up the process. Simply verifying one of these hash values from the VirusTotal report will work:

MD5 <>04267b6af9a1bad85d5cd6aecb1e4d28 <>
SHA-1 <>cf7d73066f921fc7101c06aebc5e090cebffd2b2 <>
SHA-256 <>7563a2b175d3c48069960e0290ac08e3f379cd74307e44c995df52d5dc6fc002
<>


Powered by Mailbutler <https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-essential-email>, the email extension that does it all

-Al-
ClamXAV User

On May 6, 2021, at 23:46, Andreas Rulle <andreas.rulle@itek.de> wrote:
> Hi, thank you for your great service to internet security!
>
> A false negative report has been issued this week for Img.Exploit.CVE_2017_3049-6268090-0, see also the virus total report under [1].
>
> The issue has to be handled under the General Data Protection Regulation (GDPR). Therefore I would politely like to ask for the evaluation state of that false negative report.
>
> Thanks in advance for your kind response.
>
> [1] https://www.virustotal.com/gui/file/7563a2b175d3c48069960e0290ac08e3f379cd74307e44c995df52d5dc6fc002/detection <https://www.virustotal.com/gui/file/7563a2b175d3c48069960e0290ac08e3f379cd74307e44c995df52d5dc6fc002/detection>
> --
>
>
> P.S. Abonnieren Sie unseren Newsletter zu den aktuellen Themen der Standardisierung und IT-Lösungen in Ihrer Branche!
> https://www.itek.de/aktuelles/newsletter <https://www.itek.de/aktuelles/newsletter>
>
>
> ITEK Technologie GmbH
> Technologiepark 14
> 33100 Paderborn
>
> Tel. +49 5251 / 16140
> Fax +49 5251 / 161499
> www.itek.de <http://www.itek.de/>
> mailto: Andreas Rulle@itek.de <mailto:Rulle@itek.de>
>
> Geschäftsführer: Prof. Dr. Uwe Kern
> Registergericht /-nummer: Paderborn / HRB 13522
Re: [clamav-users] State of false-positive message evaluation for Img.Exploit.CVE_2017_3049-6268090-0 [ In reply to ]
One additional note. That signature has been in the ClamAV.ldb database since 19 Apr 2017 back when first defined, making it relatively unlikely to be a false positive at this point in time.

Also note from the CVE-2017-3049 detail <https://nvd.nist.gov/vuln/detail/CVE-2017-3049> that it was at the time considered to be a High threat to Adobe Acrobat Reader versions back then. I'm certain that Adobe has eliminated the threat by now in modern versions, but that doesn't render any exploit as a false positive since it could still be used to target users who still need to run those older applications for economic or other reasons.

-Al-


Powered by Mailbutler <https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-essential-email>, the email extension that does it all

On May 7, 2021, at 00:59, Al Varnell <alvarnell@mac.com> wrote:
> Prof Rulle,
>
> I believe you mean a false positive, don't you? A false negative would be a failure to report, but clearly ClamAV does detect this.
>
> The proper way to report this would be to file a False Positive Report here: <https://www.clamav.net/reports/fp <https://www.clamav.net/reports/fp>>. If you can also provide a hash value of file in question back here, that might speed up the process. Simply verifying one of these hash values from the VirusTotal report will work:
>
> MD5 <>04267b6af9a1bad85d5cd6aecb1e4d28 <>
> SHA-1 <>cf7d73066f921fc7101c06aebc5e090cebffd2b2 <>
> SHA-256 <>7563a2b175d3c48069960e0290ac08e3f379cd74307e44c995df52d5dc6fc002
> <>
>
>
> Powered by Mailbutler <https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-essential-email>, the email extension that does it all
>
> -Al-
> ClamXAV User
>
> On May 6, 2021, at 23:46, Andreas Rulle <andreas.rulle@itek.de <mailto:andreas.rulle@itek.de>> wrote:
>> Hi, thank you for your great service to internet security!
>>
>> A false negative report has been issued this week for Img.Exploit.CVE_2017_3049-6268090-0, see also the virus total report under [1].
>>
>> The issue has to be handled under the General Data Protection Regulation (GDPR). Therefore I would politely like to ask for the evaluation state of that false negative report.
>>
>> Thanks in advance for your kind response.
>>
>> [1] https://www.virustotal.com/gui/file/7563a2b175d3c48069960e0290ac08e3f379cd74307e44c995df52d5dc6fc002/detection <https://www.virustotal.com/gui/file/7563a2b175d3c48069960e0290ac08e3f379cd74307e44c995df52d5dc6fc002/detection>
>> --
>>
>>
>> P.S. Abonnieren Sie unseren Newsletter zu den aktuellen Themen der Standardisierung und IT-Lösungen in Ihrer Branche!
>> https://www.itek.de/aktuelles/newsletter <https://www.itek.de/aktuelles/newsletter>
>>
>>
>> ITEK Technologie GmbH
>> Technologiepark 14
>> 33100 Paderborn
>>
>> Tel. +49 5251 / 16140
>> Fax +49 5251 / 161499
>> www.itek.de <http://www.itek.de/>
>> mailto: Andreas Rulle@itek.de <mailto:Rulle@itek.de>
>>
>> Geschäftsführer: Prof. Dr. Uwe Kern
>> Registergericht /-nummer: Paderborn / HRB 13522
>
Re: [clamav-users] State of false-positive message evaluation for Img.Exploit.CVE_2017_3049-6268090-0 [ In reply to ]
Andreas is probably correct. This signature does appear to be problematic. Detections only recently started to appear because of changes in 0.103.1 to properly handle TIFF files.
The signature wasn’t working in prior clamav versions because TIFF file type detection was missing from the daily database. We only discovered the file type detection signatures for TIFF were missing when fixing up the TIFF format verification module. And we didn’t know it was missing at the time the signature was published.

Anyhow, we dropped this signature about an hour ago. It should disappear in the next daily database version. Thanks for the FP report Andreas.

-Micah

From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of Al Varnell via clamav-users
Sent: Friday, May 7, 2021 4:04 AM
To: ClamAV users ML <clamav-users@lists.clamav.net>
Cc: Al Varnell <alvarnell@mac.com>
Subject: Re: [clamav-users] State of false-positive message evaluation for Img.Exploit.CVE_2017_3049-6268090-0

One additional note. That signature has been in the ClamAV.ldb database since 19 Apr 2017 back when first defined, making it relatively unlikely to be a false positive at this point in time.

Also note from the CVE-2017-3049 detail <https://nvd.nist.gov/vuln/detail/CVE-2017-3049> that it was at the time considered to be a High threat to Adobe Acrobat Reader versions back then. I'm certain that Adobe has eliminated the threat by now in modern versions, but that doesn't render any exploit as a false positive since it could still be used to target users who still need to run those older applications for economic or other reasons.

-Al-

[Image removed by sender.]
Powered by Mailbutler<https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-essential-email>, the email extension that does it all

On May 7, 2021, at 00:59, Al Varnell <alvarnell@mac.com<mailto:alvarnell@mac.com>> wrote:
Prof Rulle,

I believe you mean a false positive, don't you? A false negative would be a failure to report, but clearly ClamAV does detect this.

The proper way to report this would be to file a False Positive Report here: <https://www.clamav.net/reports/fp>. If you can also provide a hash value of file in question back here, that might speed up the process. Simply verifying one of these hash values from the VirusTotal report will work:

MD5
04267b6af9a1bad85d5cd6aecb1e4d28
SHA-1
cf7d73066f921fc7101c06aebc5e090cebffd2b2
SHA-256
7563a2b175d3c48069960e0290ac08e3f379cd74307e44c995df52d5dc6fc002

[Image removed by sender.]
Powered by Mailbutler<https://www.mailbutler.io/?utm_source=watermark&utm_medium=email&utm_campaign=watermark-essential-email>, the email extension that does it all

-Al-
ClamXAV User

On May 6, 2021, at 23:46, Andreas Rulle <andreas.rulle@itek.de<mailto:andreas.rulle@itek.de>> wrote:

Hi, thank you for your great service to internet security!
A false negative report has been issued this week for Img.Exploit.CVE_2017_3049-6268090-0, see also the virus total report under [1].
The issue has to be handled under the General Data Protection Regulation (GDPR). Therefore I would politely like to ask for the evaluation state of that false negative report.
Thanks in advance for your kind response.
[1] https://www.virustotal.com/gui/file/7563a2b175d3c48069960e0290ac08e3f379cd74307e44c995df52d5dc6fc002/detection
--


P.S. Abonnieren Sie unseren Newsletter zu den aktuellen Themen der Standardisierung und IT-Lösungen in Ihrer Branche!
https://www.itek.de/aktuelles/newsletter

ITEK Technologie GmbH
Technologiepark 14
33100 Paderborn

Tel. +49 5251 / 16140
Fax +49 5251 / 161499
www.itek.de<http://www.itek.de/>
mailto: Andreas Rulle@itek.de<mailto:Rulle@itek.de>

Geschäftsführer: Prof. Dr. Uwe Kern
Registergericht /-nummer: Paderborn / HRB 13522
Re: [clamav-users] State of false-positive message evaluation for Img.Exploit.CVE_2017_3049-6268090-0 [ In reply to ]
Hello Al, thank you for your quick and profound reply.

Yes, of course as the subject indicates a false positive report has been
issued on the clamav.net website. And a screenshot of the
clamav.net/reports/success page with the message "Report Submitted /
Thank you for your submission. Your submission has been sent to the
detection team for further review" has been documented internally.

Yes, of course,  CVE_2017_3049 was/is serious. And the detection message
has our attention.

i)    Well, stat says that the file was last modified in November 2020
on the system. Since then Clamav has scanned the file without a
detection message once a week.

ii)   At 2021-05-07 07:45:18 UTC this week the other 57 anti virus
software programs have reported "Undetected" in the quoted virustotal
report.

iii)  But this week clamav has reported the detection file on this file.
On our system and on virustotal.

Any help from you to clarify this issue is highly appreciated. If you
need further information please do not hesitate to ask for them. With
kind regards, Andreas





--
Re: [clamav-users] State of false-positive message evaluation for Img.Exploit.CVE_2017_3049-6268090-0 [ In reply to ]
Hello Micah, thank you for your clarification before the weekend! With
best regards, Andreas/
/