HomeAboutMailing ListList Chatter /0/0 18.210.23.15

ClamAV false positive

2019-05-25 by: David White
From: David White 
------------------------------------------------------
Is anyone else having any issues with ClamAV false positives, identifying
some PDF documents as infected with: Win.Exploit.CVE_2019_0903-6966169-0

Looks like I'm not the only one:
https://bbs.archlinux.org/viewtopic.php?id=246646

I generated an invoice in Quickbooks, and tried to email it out, and my
server blocked it. I manually ran a scan to make sure:

[root@mail dwhite]# clamscan Invoice-5-25-2019.pdf
Invoice-5-25-2019.pdf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND

----------- SCAN SUMMARY -----------
Known viruses: 6138219
Engine version: 0.101.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.05 MB
Data read: 0.09 MB (ratio 0.52:1)
Time: 28.143 sec (0 m 28 s)

So then I copied it over to my Ubuntu laptop, and ran a scan on there, and
it came back clean:

david@developcents-laptop:~/Desktop$ sudo clamscan Invoice-5-25-2019.pdf
[sudo] password for david:
Invoice-5-25-2019.pdf: OK

----------- SCAN SUMMARY -----------
Known viruses: 6138218
Engine version: 0.100.3
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.32 MB
Data read: 0.09 MB (ratio 3.57:1)
Time: 31.697 sec (0 m 31 s)

This is very weird...

-- 
David White
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KQ2h1Z2FsdWcg
bWFpbGluZyBsaXN0CkNodWdhbHVnQGNodWdhbHVnLm9yZwpodHRwOi8vY2h1Z2FsdWcub3JnL2Nn
aS1iaW4vbWFpbG1hbi9saXN0aW5mby9jaHVnYWx1Zwo=