ClamXav found Exploit.PDF-19944 in download from Apple support site.

Discussion in 'Mac Apps and Mac App Store' started by munkery, Oct 30, 2010.

  1. munkery macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #1
    I downloaded a user manual for an Airport Extreme from the Apple support site and the ClamXav sentry that scans my downloads detected Exploit.PDF-19944.

    It most likely is a false positive but I thought I would ask others opinions about this.

    Follow this link (http://support.apple.com/manuals/#airport) to the Airport Extreme manuals and then download the PDF for the "Airport Extreme (802.11n) Setup Guide."

    This pic shows the specific manual to download and the prompt from ClamXav Sentry. It is a Windows specific malware. Kind of funny that it is hosted on the Apple support site.
     

    Attached Files:

  2. stuarthatto macrumors regular

    Joined:
    Nov 5, 2008
    #2
    I doubt its a false positive. Just because it was downloaded from Apple doesnt mean it isnt malicious. Adobe Acrobat has had some of the largest number of vulnerabilities in the last 18 months of any client program. Apple would be just as vulnerable, and who knows, this doc could have been produced on a Windows machine!

    I would try scanning this with a Windows machine using a good AV scanner and see what it thinks.

    There is no detail I can find on this at Clam.
     
  3. munkery thread starter macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #3
    I have found this release note that shows that this definition was added to Clamav in 08 Apr 2010 so it is a fairly recent piece of malware.

    Sorry, I do not have a Windows machine to use a different AV scanner on it.
     
  4. angelwatt Moderator emeritus

    angelwatt

    Joined:
    Aug 16, 2005
    Location:
    USA
    #4
    If it's not a false positive, this only effects Windows XP / 2003 so it can't harm your Mac in the least.
     
  5. MisterMe macrumors G4

    MisterMe

    Joined:
    Jul 17, 2002
    Location:
    USA
    #5
    If it is the file that the OP claims, then the infected file is dated January 24, 2007, a year before the definition was added to ClamAv. I downloaded both language versions of the file and scanned them both with Norton Antivirus 11.1.1f2. Absolutely nothing. Both files are as clean as hounds' teeth.

    The notion that Apple would post an infected file on its own website is laughable. Remember that this is an Apple-created file. Apple created both files back in 2006-2007 using FrameMaker 6.0 and Adobe Distiller 6.0.0 in the Classic environment.

    The bottomline is that the OP's false positive is the false positive to end all false positives.
     
  6. munkery thread starter macrumors 68020

    munkery

    Joined:
    Dec 18, 2006
    #6
    I am pretty sure it is a false positive as well. It just means that the Clamav engine is running with over zealous heuristics. Rather it be a false positive than a malware going undetected.
     

Share This Page