ClamAV false positive
2019-05-25 by: David White
From: David White ------------------------------------------------------ Is anyone else having any issues with ClamAV false positives, identifying some PDF documents as infected with: Win.Exploit.CVE_2019_0903-6966169-0 Looks like I'm not the only one: https://bbs.archlinux.org/viewtopic.php?id=246646 I generated an invoice in Quickbooks, and tried to email it out, and my server blocked it. I manually ran a scan to make sure: [root@mail dwhite]# clamscan Invoice-5-25-2019.pdf Invoice-5-25-2019.pdf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND ----------- SCAN SUMMARY ----------- Known viruses: 6138219 Engine version: 0.101.2 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.05 MB Data read: 0.09 MB (ratio 0.52:1) Time: 28.143 sec (0 m 28 s) So then I copied it over to my Ubuntu laptop, and ran a scan on there, and it came back clean: david@developcents-laptop:~/Desktop$ sudo clamscan Invoice-5-25-2019.pdf [sudo] password for david: Invoice-5-25-2019.pdf: OK ----------- SCAN SUMMARY ----------- Known viruses: 6138218 Engine version: 0.100.3 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.32 MB Data read: 0.09 MB (ratio 3.57:1) Time: 31.697 sec (0 m 31 s) This is very weird... -- David White X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KQ2h1Z2FsdWcg bWFpbGluZyBsaXN0CkNodWdhbHVnQGNodWdhbHVnLm9yZwpodHRwOi8vY2h1Z2FsdWcub3JnL2Nn aS1iaW4vbWFpbG1hbi9saXN0aW5mby9jaHVnYWx1Zwo=