I disable Javascript in our PDF viewer. PostScript (which underlies PDF) is a Turing-complete executable language, and even has a mechanism to read and write files, so it could cause some trouble on its own.
On Thu, 31 Mar 2016 10:36:18 -0500 Noel Jones <njo...@megan.vbhcs.org> wrote: > Known malware will still be detected, even if you ignore the > troublesome PUA sigs. > > These aren't really false positives since the .pdf really does > contain javascript. So the sigs are working as intended. > > The alternative is to communicate to your users that .pdf files > containing javascript are not allowed in email. Unfortunately, > *many* legit .pdf files contain javascript. > > This is more of a local policy decision than a tech decision. > > > -- Noel Jones > > > > On 3/31/2016 9:25 AM, polloxx wrote: > > That's known to me Steve. > > I'm afraid malware will not be detected in that case. > > > > P. > > > > On Thu, Mar 31, 2016 at 3:43 PM, Steve Basford < > > steveb_cla...@sanesecurity.com> wrote: > > > >> > >> On Thu, March 31, 2016 2:33 pm, polloxx wrote: > >>> Since the new Clamav database we have a lot more false positives > >>> for PUA.Pdf.Trojan.EmbeddedJS-1 and PUA.Win.Trojan.EmbeddedPDF-1. > >>> What can we do about this, except disabling PUA? > >> > >> Create a local.ign2 with the following lines: > >> > >> PUA.Pdf.Trojan.EmbeddedJS-1 > >> PUA.Win.Trojan.EmbeddedPDF-1 > >> > >> Place in ClamAV database folder and restart clamd > >> > >> Cheers, > >> > >> Steve > >> Web : sanesecurity.com > >> Blog: sanesecurity.blogspot.com > >> Twitter: @sanesecurity > >> > >> _______________________________________________ > >> Help us build a comprehensive ClamAV guide: > >> https://github.com/vrtadmin/clamav-faq > >> > >> http://www.clamav.net/contact.html#ml _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
