Hi everyone, using the programmed scan of clamav from today the system has detected several files infected with Win.Exploit.CVE_2019_0903-6966169-0 FOUND in .pdf file and even on a server system font file: rsfs10.ttf: Win.Exploit.CVE_2019_0903-6966169-0 FOUND
False positive ?
Thank you
Installed Packages
Name : nethserver-clamscan
Arch : noarch
Version : 0.1.2
Release : 3.ns7.sdl
Size : 69 k
Repo : installed
From repo : stephdl
ClamAV update process started at Sun May 26 19:40:50 2019
main.cvd is up to date (version: 58, sigs: 4566249, f-level: 60, builder: sigmgr)
daily.cvd is up to date (version: 25461, sigs: 1581583, f-level: 63, builder: raynman)
bytecode.cvd is up to date (version: 328, sigs: 94, f-level: 63, builder: neo)
I had the same error today. Clam found 100s files with: Win.Exploit.CVE_2019_0903-6966169-0 mainly in .ttf, .pdf, .png, …/Sent/…, .eot. Most of them in .pdf.
In WordPress, Links Checker was complaining and reported a few links not working. I checked around and the files were not in the folder it used to be.
In Thunderbird, I add a new account: root@myFQDN and in the last 2 reports from Clam, both from 03h47.
Subject: Clam Antivirus Scan Results - Sun May 26 01:50:01 2019
Lots of virus and files moved to quarantaine.
Nethserver 7.6.1810
We are seeing the same issue. Emails with attachments are being blocked ones without are OK. Addresses that are whitelisted not affected. clamd[6379]: instream(local): Win.Exploit.CVE_2019_0903-6966169-0 FOUND Preformatted text5.7.1 clamav: virus found: “Win.Exploit.CVE_2019_0903-6966169-0”;
Hi, the same situation very similar to yours.
Also happened to me on very old files (.pdf) transferred by time and from other computers.
However I have tried the change and it seems to work.
I noticed that the file is ignored from the shell running only clamscan. Activating from web-gui continues to detect the virus.
We are waiting for a new database to try again.
Sure. Fortunately, the offending files have not been moved to quarantine but only detected, by my choice of option. For me it’s just due to the definitions. Different users of different distros have the same problem. Thanks Stèphane
Can you please show your entry in “whitelist.ign2”?
If I enter Win.Exploit.CVE_2019_0903-6966169-0 I get this error: Scanned Folder: /ERROR: Malformed database. So how to format this entry correctly?
Thanks.
Edit: Please ignore this. I did a enter at the end of the line, so a new empty line was created.
hello unfortunately now the server is down. however if I remember correctly /var/lib/clamav/whitelist.ign2 is the same as yours. As previously written, the shell scan with clamascan does not report virus presence, but activating clamav on email filter on my server continues to give false detection.
@france
Just 1 line with
Win.Exploit.CVE_2019_0903-6966169-0
Most are holding but suspect we still have 1 server with the issue and the whitelist file.
grep -i exploit /var/log/maillog will show if it is blocking email