On Mon, November 28, 2016 1:56 pm, Mathieu D. wrote:
> Hello,
>
>
> Is there any way to whitelist a file based on it's signature *and* it's
> filename?
>
Not that I know of...
I guess this *might* be an option.
1. Find something common in your pdf you want to "whitelist", say "Your
company name or department", convert this to hex.
2. Create an ign2 file to ignore the normal PUA file.
3. Create an ldb sig, which should do the same at the current PUA
BUT you are creating a whitelist "phrase".
eg:
Local.PUA.Script.PDF.EmbeddedJavaScript;Engine:51-255,Target:0;(0&1=0);255044462d*6f626a{-2}3c3c{-100}2f4a617661536372697074(20|28|3c);41646F6265204C6976654379636C652044657369676E65722045532031302E30
eg:
This is the hex for your phrase:
41646F6265204C6976654379636C652044657369676E65722045532031302E30 =
"Adobe LiveCycle Designer ES 10.0"
So, if the pdf contains "Javascript" and "Adobe LiveCycle Designer ES
10.0" it won't get hit... all other pdf's with Javascript will get
blocked.
Not ideal but at least it should work.
--
Cheers,
Steve
Twitter: @sanesecurity
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
