ClamWin Free Antivirus Forum Index
ClamWin Free Antivirus
Support and Discussion Forums
Reply to topic
CVE-2016-1091 PDF's showing as being infected
denmalOLA


Joined: 21 Nov 2016
Posts: 4
Reply with quote
Since 11/21/2016, some of the pdf's on my server are now being flagged as infected with the Pdf.Exploit.CVE_2016_1091. When I scan them with Sophos nothing comes up.
This server does not have acrobat installed. I've tried re-saving one of the pdf's in the most current Acrobat but it still is being flagged as infected.

From what I've been reading this is an issue with Acrobat not the pdf's.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4192
Location: USA
Reply with quote
Upload the file to Virus Total where it will be scanned by 50+ AVs, including the Clam AV engine that runs ClamWin. It is likely to be a false positive, but there are a couple of new PDF viruses around just now.

If it turns out to be a false positive, Virus Total will notify Clam AV so they can fix their virus signature, but it might speed things along if you also upload it to Clam AV via their Contact page.

Regards,
View user's profileSend private message
denmalOLA


Joined: 21 Nov 2016
Posts: 4
Reply with quote
I had already posted it on Virus Total and it came out clean. I have over 32 pdf's that ClamAv said were infected. Why are pdf's being flagged for being infected when it's and Acrobat issue?
These files have time stamps from the last 2 years.
View user's profileSend private message
denmalOLA


Joined: 21 Nov 2016
Posts: 4
Reply with quote
These 'infected' pdf's were created from 2014 to present. I also tried re-saving the most current pdf using the most current Acrobat and ClamAv still flagged it.
View user's profileSend private message
GuitarBob


Joined: 09 Jul 2006
Posts: 4192
Location: USA
Reply with quote
No doubt there is a recent Clam AV virus signature that triggers on the PDF file(s). As I said, you might speed up a corrected Clam AV signature if you upload a sample of the file(s) that are detected in error. It looks to me like they may have a new sigmaker. It may take Clam several days before they correct it. All signatures were corrected manually when I worked for Clam as a sigmaker, and I don't think it has changed.

In the meantime, you can whitelist the file(s) that are triggered in error--or you may want to exclude the PDF extension in some folders.

Regards,
View user's profileSend private message
denmalOLA


Joined: 21 Nov 2016
Posts: 4
Reply with quote
Thanks so much for your help.
View user's profileSend private message
PDF's showing as being infected
Lopata
Guest

Reply with quote
Removing the threat: Users of Enfocus PitStop Professional and Enfocus PitStop Server can remove all embedded files from a PDF document by running an Action List.

Alternatively, users of Enfocus PitStop Professional, Enfocus PitStop Server and Enfocus Certify PDF can remove embedded files during preflight. To do this, they must preflight using a Preflight Profile that has the check for annotations (the last check on the "Varia" tab) set to "Remove" or "Remove and Log". Be aware that doing this will remove all annotations from your PDF documents, not just embedded file annotations.
CVE-2016-1091 PDF's showing as being infected
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
All times are GMT  
Page 1 of 1  

  
  
 Reply to topic