Mailing List Archive

When i read this well, 0.102.* isnt support anymore.
Force an AV update, see https://docs.clamav.net/faq/faq-eol.html


Von / From: Tsutomu Oyamada <mailto:oyamada@promark-inc.com>
An / To: Newcomer01 <mailto:newcomer01@posteo.de>
Gesendet / Sent: Dienstag, Oktober 10, 2023 um 12:32 (at 12:32 PM) +0200
Betreff / Subject: [clamav-users] About PDF files detected as encrypted files
> Hi, all
>
> We received following report from one of our users.
> The user is uisng Clamd0.103 on AIX7,2.
>
> When clamd with the option "ArchiveBlockEncrypted" ON scans a specifc PDF which is locked for editing, it is detected as "Heuristics.Encrypted.PDF FOUND".
> The PDF is locked for editing, but not locked for viewing.
> The PDF file can be found at the following URL.
> https://www.promark-inc.com/dl/temp/214-230137_01_006.pdf
>
> It looks like the same behavior when clamd scans a PDF which is locked for viewing.
> The log is as follows;
>
> Fri Sep 29 14:35:33 2023 -> /home/user/214-230137_01_006.pdf:
> Heuristics.Encrypted.PDF(52d94f1cc9d57e3b350c4cec85c68387:222005) FOUND
>
> We could reproduce the behavior on our test environment, clamd daemon 1.0.2 (OS: Linux, ARCH: x86_64, CPU: x86_64).
>
> Could you tell us how to fix it to scan that PDF properly?
>
> T.O
>
> _______________________________________________
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat

_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

On Tue, 10 Oct 2023, Tsutomu Oyamada wrote:

> Hi, all
>
> We received following report from one of our users.
> The user is uisng Clamd0.103 on AIX7,2.
>
> When clamd with the option "ArchiveBlockEncrypted" ON scans a specifc PDF which is locked for editing, it is detected as "Heuristics.Encrypted.PDF FOUND".
> The PDF is locked for editing, but not locked for viewing.
> The PDF file can be found at the following URL.
> https://www.promark-inc.com/dl/temp/214-230137_01_006.pdf
>
> It looks like the same behavior when clamd scans a PDF which is locked for viewing.
> The log is as follows;
>
> Fri Sep 29 14:35:33 2023 -> /home/user/214-230137_01_006.pdf:
> Heuristics.Encrypted.PDF(52d94f1cc9d57e3b350c4cec85c68387:222005) FOUND

With 0.103.9* and that setting in /etc/clamav/clamd.conf I get
WARNING: Using deprecated option "ArchiveBlockEncrypted" to alert on
encrypted archives _and_ documents. Please update your configuration
to use replacement options "AlertEncrypted", or "AlertEncryptedArchive"
and/or "AlertEncryptedDoc".

The command
clamscan --alert-encrypted=yes 214-230137_01_006.pdf
reports:

/tmp/werdna/214-230137_01_006.pdf: Heuristics.Encrypted.PDF FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8674592
Engine version: 0.103.9
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.00 MB
Data read: 0.21 MB (ratio 0.00:1)
Time: 14.174 sec (0 m 14 s)
Start Date: 2023:10:11 08:27:20
End Date: 2023:10:11 08:27:34
----

* I'm still waiting for Ubuntu to upgrade to 0.103.10 or better.

--
Andrew C. Aitchison Kendal, UK
andrew@aitchison.me.uk
_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

On 10.10.2023 13:32, Tsutomu Oyamada wrote:
> Hi, all
>
> We received following report from one of our users.
> The user is uisng Clamd0.103 on AIX7,2.
>
> When clamd with the option "ArchiveBlockEncrypted" ON scans a specifc PDF which is locked for editing, it is detected as "Heuristics.Encrypted.PDF FOUND".

https://github.com/Cisco-Talos/clamav/issues/770

$ pdf-parser.py -o 40 214-230137_01_006.pdf

obj 40 0
Type:
Referencing:

<<
/EncryptMetadata true
/P -1852
/U
<<
/StdCF
<<
/Type /CryptFilter
/Length 16
/AuthEvent /DocOpen
/CFM /AESV2
>>
>>
/Length 128
/V 4
/Filter /Standard
>>


> The PDF is locked for editing, but not locked for viewing.
> The PDF file can be found at the following URL.
> https://www.promark-inc.com/dl/temp/214-230137_01_006.pdf
>
> It looks like the same behavior when clamd scans a PDF which is locked for viewing.
> The log is as follows;
>
> Fri Sep 29 14:35:33 2023 -> /home/user/214-230137_01_006.pdf:
> Heuristics.Encrypted.PDF(52d94f1cc9d57e3b350c4cec85c68387:222005) FOUND
>
> We could reproduce the behavior on our test environment, clamd daemon 1.0.2 (OS: Linux, ARCH: x86_64, CPU: x86_64).
>
> Could you tell us how to fix it to scan that PDF properly?
>
> T.O
>
> _______________________________________________
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat

_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat

Hi,

Thank you for your reply.
I understood very well.
It was useful to me.

Regards,
T.O

On Wed, 11 Oct 2023 15:40:37 +0300
Maxim Britov via clamav-users <clamav-users@lists.clamav.net> wrote:

> On 10.10.2023 13:32, Tsutomu Oyamada wrote:
> > Hi, all
> >
> > We received following report from one of our users.
> > The user is uisng Clamd0.103 on AIX7,2.
> >
> > When clamd with the option "ArchiveBlockEncrypted" ON scans a specifc PDF which is locked for editing, it is detected as "Heuristics.Encrypted.PDF FOUND".
>
> https://github.com/Cisco-Talos/clamav/issues/770
>
> $ pdf-parser.py -o 40 214-230137_01_006.pdf
>
> obj 40 0
> Type:
> Referencing:
>
> <<
> /EncryptMetadata true
> /P -1852
> /U
> <<
> /StdCF
> <<
> /Type /CryptFilter
> /Length 16
> /AuthEvent /DocOpen
> /CFM /AESV2
> >>
> >>
> /Length 128
> /V 4
> /Filter /Standard
> >>
>
>
> > The PDF is locked for editing, but not locked for viewing.
> > The PDF file can be found at the following URL.
> > https://www.promark-inc.com/dl/temp/214-230137_01_006.pdf
> >
> > It looks like the same behavior when clamd scans a PDF which is locked for viewing.
> > The log is as follows;
> >
> > Fri Sep 29 14:35:33 2023 -> /home/user/214-230137_01_006.pdf:
> > Heuristics.Encrypted.PDF(52d94f1cc9d57e3b350c4cec85c68387:222005) FOUND
> >
> > We could reproduce the behavior on our test environment, clamd daemon 1.0.2 (OS: Linux, ARCH: x86_64, CPU: x86_64).
> >
> > Could you tell us how to fix it to scan that PDF properly?
> >
> > T.O
> >
> > _______________________________________________
> >
> > Manage your clamav-users mailing list subscription / unsubscribe:
> > https://lists.clamav.net/mailman/listinfo/clamav-users
> >
> >
> > Help us build a comprehensive ClamAV guide:
> > https://github.com/Cisco-Talos/clamav-documentation
> >
> > https://docs.clamav.net/#mailing-lists-and-chat
>
> _______________________________________________
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat


_______________________________________________

Manage your clamav-users mailing list subscription / unsubscribe:
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat