Virus Scanners detecting virus on DOMPDF docs

[Michael Gall]

HI All,

Just wondering if anyone has had problems with virus scanners picking up viruses on dompdf generated docs. I've had 2 instances of it recently and I'm really curious as to what's happening and how I may be able to stop it. I suspect that they are false positives, but it's really hard to determine. 

The 2 software packages are Sophos - detected Troj/PDFDown-J

and Microsoft Forefront Security for Exchange Serve - detected HEUR:Exploit.PDF.Generic

Any ideas or expereinces would be greatly appreciated.

Cheers,

Michael Gall

http://currinda.com/

[Riccardo Fraioli]

This warning is on localhost or on  server  ? You check the script who generate the pdf ...
R.f

--
You received this message because you are subscribed to the Google Groups "dompdf" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dompdf+un...@googlegroups.com.
To post to this group, send email to dom...@googlegroups.com.
Visit this group at http://groups.google.com/group/dompdf.
For more options, visit https://groups.google.com/d/optout.

[BrianS]

This is a bit annoying. Looks like some bad guys may be using dompdf (or aping it's PDF structure) to generate PDFs used in phishing scams. If that's the case and a sufficient number of similar documents are reported then it's likely that some anti-virus vendors will start using the dompdf-generated PDF characteristics in their signatures.

Here's a report on VirusTotal relating to a similar PDF:
https://www.virustotal.com/en/file/44231673527f6f9437df1789bca295efac86b9df1df0a68ccf06f5d48b732e10/analysis/

Of course, the source lists a ridiculous number of potential issues using automated reporting just because Adobe Acrobat was opened to read the file
https://www.hybrid-analysis.com/sample/44231673527f6f9437df1789bca295efac86b9df1df0a68ccf06f5d48b732e10?environmentId=3

There are other similar reports out there. Probably the best course of action is to contact your vendor and let them know that legitimate files are being flagged as malicious. It might help to point out what dompdf is and how to identify files produced by the library. We can help if needed.

It would be pretty destructive to the project if dompdf-generated PDF files started getting flagged as malicious by a significant number of anti-virus apps because of this. Who wants to use a library when the files it produces are causing these types of problems?

[Michael Gall]

Thanks for that. It gave me a few extra avenues to go down. The first thing that I did seemed to improve things and that was to bump the version in cpdf to PDF1.7. Not sure if that's wise or not, but I'm going to make it on my local branch. Certainly fixed the virus scan. Might be worth checking if it solves it for that particular version.

Cheers,

Michael

[BrianS]

Thank you for the follow-up. The virus signature must be using the commonalities in the suspect PDF documents, which would likely be the start-of-file structure. I believe these would be the same across PDF installations, and certainly the same for a single installation. We will probably have to do something to address the issue ... probably for the next release. Unless the anti-virus vendors take pity on a poor, open-source project.

I followed up your pull request with an issue to discuss the problem. Please leave any feedback/suggestions there: https://github.com/dompdf/dompdf/issues/952