search

Cisco-Talos / clamav

ClamAV - Documentation is here: https://docs.clamav.net
https://www.clamav.net/
GNU General Public License v2.0
4.43k stars 706 forks source link

ClamAV virus scan - issues found with Adobe Reader MUI #1180

Closed kasyap139 closed 9 months ago

kasyap139 commented 9 months ago

Recently, when I was evaluating some antivirus software, I noticed that the ClamAV antivirus scan raised issues with the below files (Scan log attached). I am unsure if this is valid. Can anyone let me know if this is a false positive result?
Adobe reader update: AcroRdrDCUpd2300820533_MUI

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\nppdf32.dll C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ExtendScript.dll C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ScCore.dll

  1. Install adobe reader , install the update AcroRdrDCUpd2300820533_MUI (Feb 2024 update)
  2. Download the ClamAV , running on Windows 10 PC
  3. Download the latest updated virus defenitions from http://database.clamav.net
  4. Create a folder named "database" in the root folder of the scanner and place the virus definitions.
  5. Run "command clamscan --infected --recursive --exclude-dir="C:\Windows" C:\"
  6. scan log is attached ScanResult_C_NewAdobe.txt ScanResult_C.txt

Command to run scan:

command clamscan --infected --recursive --exclude-dir="C:\Windows" C:\

Info from Virus Total for these files:

https://www.virustotal.com/gui/file/61e5d9aa95d6a7f4db450417f8d606d5d1084c133da15171490b17926884fbb1 https://www.virustotal.com/gui/file/e50cbff4bca4301e44c173ac15d468a0246f00f845053c23ac263f99c628e7dc https://www.virustotal.com/gui/file/751EAEB4DB5D3A76E3FB7775F3A2430514FFEC41AD5ED25147398959F3FAAEDB https://www.virustotal.com/gui/file/837063AA34E5AA464126CCB86409E9F912AD153B0281E4172968463A5C536AC6 https://www.virustotal.com/gui/file/921E4FA5E09ED01E71EC0F4F4A309EC851F77932CCA1ED7F7C8D3741B52A668A

micahsnyder commented 9 months ago

Hi @kasyap139. It seems likely these are false positives because ClamAV is the only hit. The "Google" matches seem to be a result of them using ClamAV in their scanner.

Can you please submit these to our false positive reporting portal? Automated processes managed by our threat research team should triage and resolve the false positives.

https://www.clamav.net/reports/fp

Since this ticket queue is for bug reporting in the ClamAV software and not for signature detection issues, I'll close this ticket.