|
denmalOLA
| Joined: 21 Nov 2016 |
| Posts: 0 |
|
|
|
 Posted: Mon Nov 21, 2016 3:56 pm |
|
 |
 |
|
|
Since 11/21/2016, some of the pdf's on my server are now being flagged as infected with the Pdf.Exploit.CVE_2016_1091. When I scan them with Sophos nothing comes up.
This server does not have acrobat installed. I've tried re-saving one of the pdf's in the most current Acrobat but it still is being flagged as infected.
From what I've been reading this is an issue with Acrobat not the pdf's.
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Mon Nov 21, 2016 4:02 pm |
|
|
|
|
|
Upload the file to Virus Total where it will be scanned by 50+ AVs, including the Clam AV engine that runs ClamWin. It is likely to be a false positive, but there are a couple of new PDF viruses around just now.
If it turns out to be a false positive, Virus Total will notify Clam AV so they can fix their virus signature, but it might speed things along if you also upload it to Clam AV via their Contact page.
Regards,
|
|
|
|
denmalOLA
| Joined: 21 Nov 2016 |
| Posts: 0 |
|
|
|
| Posted: Mon Nov 21, 2016 4:34 pm |
|
|
|
|
|
I had already posted it on Virus Total and it came out clean. I have over 32 pdf's that ClamAv said were infected. Why are pdf's being flagged for being infected when it's and Acrobat issue?
These files have time stamps from the last 2 years.
|
|
|
|
denmalOLA
| Joined: 21 Nov 2016 |
| Posts: 0 |
|
|
|
| Posted: Mon Nov 21, 2016 4:37 pm |
|
|
|
|
|
These 'infected' pdf's were created from 2014 to present. I also tried re-saving the most current pdf using the most current Acrobat and ClamAv still flagged it.
|
|
|
|
GuitarBob
| Joined: 09 Jul 2006 |
| Posts: 9 |
| Location: USA |
|
|
| Posted: Mon Nov 21, 2016 7:50 pm |
|
|
|
|
|
No doubt there is a recent Clam AV virus signature that triggers on the PDF file(s). As I said, you might speed up a corrected Clam AV signature if you upload a sample of the file(s) that are detected in error. It looks to me like they may have a new sigmaker. It may take Clam several days before they correct it. All signatures were corrected manually when I worked for Clam as a sigmaker, and I don't think it has changed.
In the meantime, you can whitelist the file(s) that are triggered in error--or you may want to exclude the PDF extension in some folders.
Regards,
|
|
|
|
denmalOLA
| Joined: 21 Nov 2016 |
| Posts: 0 |
|
|
|
| Posted: Tue Nov 22, 2016 2:35 pm |
|
|
|
|
|
Thanks so much for your help.
|
|
|
|
Lopata
Guest
|
|
| Posted: Wed Nov 30, 2016 9:39 am |
|
|
|
|
|
Removing the threat: Users of Enfocus PitStop Professional and Enfocus PitStop Server can remove all embedded files from a PDF document by running an Action List.
Alternatively, users of Enfocus PitStop Professional, Enfocus PitStop Server and Enfocus Certify PDF can remove embedded files during preflight. To do this, they must preflight using a Preflight Profile that has the check for annotations (the last check on the "Varia" tab) set to "Remove" or "Remove and Log". Be aware that doing this will remove all annotations from your PDF documents, not just embedded file annotations.
|
|
|
