Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

ClamXav found Exploit.PDF-19944 in download from Apple support site.

munkery

munkery

macrumors 68020
Original poster
Dec 18, 2006
2,217
1
I downloaded a user manual for an Airport Extreme from the Apple support site and the ClamXav sentry that scans my downloads detected Exploit.PDF-19944.

It most likely is a false positive but I thought I would ask others opinions about this.

Follow this link (http://support.apple.com/manuals/#airport) to the Airport Extreme manuals and then download the PDF for the "Airport Extreme (802.11n) Setup Guide."

This pic shows the specific manual to download and the prompt from ClamXav Sentry. It is a Windows specific malware. Kind of funny that it is hosted on the Apple support site.
 

Attachments

  • good.png
    good.png
    39.4 KB · Views: 110
I doubt its a false positive. Just because it was downloaded from Apple doesnt mean it isnt malicious. Adobe Acrobat has had some of the largest number of vulnerabilities in the last 18 months of any client program. Apple would be just as vulnerable, and who knows, this doc could have been produced on a Windows machine!

I would try scanning this with a Windows machine using a good AV scanner and see what it thinks.

There is no detail I can find on this at Clam.
 
I have found this release note that shows that this definition was added to Clamav in 08 Apr 2010 so it is a fairly recent piece of malware.

Sorry, I do not have a Windows machine to use a different AV scanner on it.
 
If it's not a false positive, this only effects Windows XP / 2003 so it can't harm your Mac in the least.
 
munkery said:
I have found this release note that shows that this definition was added to Clamav in 08 Apr 2010 so it is a fairly recent piece of malware.

Sorry, I do not have a Windows machine to use a different AV scanner on it.
Click to expand...
If it is the file that the OP claims, then the infected file is dated January 24, 2007, a year before the definition was added to ClamAv. I downloaded both language versions of the file and scanned them both with Norton Antivirus 11.1.1f2. Absolutely nothing. Both files are as clean as hounds' teeth.

The notion that Apple would post an infected file on its own website is laughable. Remember that this is an Apple-created file. Apple created both files back in 2006-2007 using FrameMaker 6.0 and Adobe Distiller 6.0.0 in the Classic environment.

The bottomline is that the OP's false positive is the false positive to end all false positives.
 
I am pretty sure it is a false positive as well. It just means that the Clamav engine is running with over zealous heuristics. Rather it be a false positive than a malware going undetected.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back