Hi ClamAV team and users,
I wanted to give a follow up on investigation results pertaining back to a known problem with slow PDF scanning. This problem was first caught in our system by my coworker in this thread https://lists.clamav.net/pipermail/clamav-users/2021-November/012053.html, and I believe the same problem is documented in another thread here: https://github.com/Cisco-Talos/clamav/issues/590.
I?ve been playing around with bytecode signatures, and I found 2 official ClamAV signatures that seem to slow down PDF scanning. They are:
1. BC.Img.Exploit.CVE_2017_3124-6335443-1
2. BC.Img.Exploit.CVE_2017_3124-6335540-2
I tested this with several PDF files that timed out in previous runs. Here are the run results from before:
/ # clamdscan /tmp/slowScan.pdf
/tmp/slowScan.pdf: Heuristics.Limits.Exceeded.MaxScanTime FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 120.035 sec (2 m 0 s)
Start Date: 2024:02:06 23:07:21
End Date: 2024:02:06 23:09:21
And after:
/var/lib/clamav # clamdscan /tmp/slowScan.pdf
/tmp/slowScan.pdf: Heuristics.Limits.Exceeded.MaxScanSize FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 95.610 sec (1 m 35 s)
Start Date: 2024:02:06 22:58:43
End Date: 2024:02:06 23:00:18
Thought this might be helpful for investigations. BTW, do we have an update on if this issue with slow PDF scanning will be fixed soon?
Best regards,
Eric
________________________________
CONFIDENTIALITY NOTICE: This e-mail and any files attached may contain confidential information of Five9 and/or its affiliated entities. Access by the intended recipient only is authorized. Any liability arising from any party acting, or refraining from acting, on any information contained in this e-mail is hereby excluded. If you are not the intended recipient, please notify the sender immediately, destroy the original transmission and its attachments and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Copyright in this e-mail and any attachments belongs to Five9 and/or its affiliated entities.
I wanted to give a follow up on investigation results pertaining back to a known problem with slow PDF scanning. This problem was first caught in our system by my coworker in this thread https://lists.clamav.net/pipermail/clamav-users/2021-November/012053.html, and I believe the same problem is documented in another thread here: https://github.com/Cisco-Talos/clamav/issues/590.
I?ve been playing around with bytecode signatures, and I found 2 official ClamAV signatures that seem to slow down PDF scanning. They are:
1. BC.Img.Exploit.CVE_2017_3124-6335443-1
2. BC.Img.Exploit.CVE_2017_3124-6335540-2
I tested this with several PDF files that timed out in previous runs. Here are the run results from before:
/ # clamdscan /tmp/slowScan.pdf
/tmp/slowScan.pdf: Heuristics.Limits.Exceeded.MaxScanTime FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 120.035 sec (2 m 0 s)
Start Date: 2024:02:06 23:07:21
End Date: 2024:02:06 23:09:21
And after:
/var/lib/clamav # clamdscan /tmp/slowScan.pdf
/tmp/slowScan.pdf: Heuristics.Limits.Exceeded.MaxScanSize FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 95.610 sec (1 m 35 s)
Start Date: 2024:02:06 22:58:43
End Date: 2024:02:06 23:00:18
Thought this might be helpful for investigations. BTW, do we have an update on if this issue with slow PDF scanning will be fixed soon?
Best regards,
Eric
________________________________
CONFIDENTIALITY NOTICE: This e-mail and any files attached may contain confidential information of Five9 and/or its affiliated entities. Access by the intended recipient only is authorized. Any liability arising from any party acting, or refraining from acting, on any information contained in this e-mail is hereby excluded. If you are not the intended recipient, please notify the sender immediately, destroy the original transmission and its attachments and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Copyright in this e-mail and any attachments belongs to Five9 and/or its affiliated entities.