Of course, if anybody is able to find out what the magic filename is, they could mount a targeted attack.
How are the PDFs generated? Would it be possible to attach a cryptographic signature to asset to their validity? (That would probably require an additional step on receipt as well as transmission to indicate they were OK in spite of ClamAV's red flag.) On Mon, 28 Nov 2016 14:28:11 -0000 "Steve Basford" <[email protected]> wrote: > > On Mon, November 28, 2016 1:56 pm, Mathieu D. wrote: > > Hello, > > > > > > Is there any way to whitelist a file based on it's signature *and* > > it's filename? > > > Not that I know of... > > I guess this *might* be an option. > > 1. Find something common in your pdf you want to "whitelist", say > "Your company name or department", convert this to hex. > > 2. Create an ign2 file to ignore the normal PUA file. > > 3. Create an ldb sig, which should do the same at the current PUA > BUT you are creating a whitelist "phrase". > > eg: > > Local.PUA.Script.PDF.EmbeddedJavaScript;Engine:51-255,Target:0;(0&1=0);255044462d*6f626a{-2}3c3c{-100}2f4a617661536372697074(20|28|3c);41646F6265204C6976654379636C652044657369676E65722045532031302E30 > > eg: > > This is the hex for your phrase: > 41646F6265204C6976654379636C652044657369676E65722045532031302E30 = > "Adobe LiveCycle Designer ES 10.0" > > So, if the pdf contains "Javascript" and "Adobe LiveCycle Designer ES > 10.0" it won't get hit... all other pdf's with Javascript will get > blocked. > > Not ideal but at least it should work. > _______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
