To follow up on what Kris said, yes you can create rules like this. We are unable to publish such broad rules in the official signatures because of the FPs that it will cause, but you are able to determine what should be blocked within your individual environment.
PDFs with JavaScript, documents with macros, zips containing JS files... these are all examples that are too broad for official signatures, but are absolutely detectable through ClamAV signatures. If your environment allows it, by all means go ahead and kill it with fire. On Mon, May 15, 2017 at 11:22 AM, Kris Deugau <[email protected]> wrote: > Cedric Knight wrote: > > Devs - is it possible to block PDFs based on containing '/JavaScript' >> and '/OpenAction' (or '/Launch')? I wish ClamAV has a hierarchy from >> definite signatures first to secondly checking heuristics... >> > > Not a ClamAV developer, but yes, you can create a signature for this. > > You don't really want to do this, because you *will* block legitimate > PDFs. Speaking from experience. :( > > -kgd > _______________________________________________ > clamav-users mailing list > [email protected] > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > -- Matthew Molyett Malware Researcher [email protected] Phone: (410) 309-4834 Mobile: (410) 674-2049 Cisco.com - http://www.cisco.com This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. For corporate legal information go to: http://www.cisco.com/web/about/doing_business/legal/cri/index.html _______________________________________________ clamav-users mailing list [email protected] http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
