Re: [clamav-users] Whitelist based on sign *and* filename?

2016-12-01 Thread Mathieu D. 
Le lundi 28 novembre 2016, 10:28:03 CET Paul Kosinski a écrit :
> Of course, if anybody is able to find out what the magic filename is,
> they could mount a targeted attack.

Of course, but thanks for the warning.

> How are the PDFs generated? Would it be possible to attach a
> cryptographic signature to asset to their validity? (That would
> probably require an additional step on receipt as well as transmission
> to indicate they were OK in spite of ClamAV's red flag.)

Unfortunately we have no control on those PDF creation.

Bests,
-- 
Mathieu

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Whitelist based on sign *and* filename?

2016-12-01 Thread Mathieu D. 
Le lundi 28 novembre 2016, 14:28:11 CET Steve Basford a écrit :
> I guess this *might* be an option.

Thanks for your reply and this idea.

> 1.  Find something common in your pdf you want to "whitelist", say "Your
> company name or department", convert this to hex.

Let's say "My Safe PDF" → "4d79205361666520504446".
(and "/JavaScript" → "2f4a617661536372697074")

> 2. Create an ign2 file to ignore the normal PUA file.

In "/var/lib/clamav/safe_pdf.ign2":
```
PUA.Script.PDF.EmbeddedJavaScript
```

> 3. Create an ldb sig, which should do the same at the current PUA
> BUT you are creating a whitelist "phrase".
> 
> eg:
> 
> Local.PUA.Script.PDF.EmbeddedJavaScript;Engine:51-255,Target:0;(0&1=0);25504
> 4462d*6f626a{-2}3c3c{-100}2f4a617661536372697074(20|28|3c);41646F6265204C697
> 6654379636C652044657369676E65722045532031302E30

How is this line actually generated?

I tried in "/var/lib/clamav/safe_pdf.ldb" this line:
```
Local.PUA.Script.PDF.EmbeddedJavaScript;Engine:51-255,Target:0;(0&1=0);
255044462d*6f626a{-2}3c3c{-100}2f4a617661536372697074(20|28|3c);
4d79205361666520504446
```

But I could not get it to work.

ClamAV logs says:
```
Thu Dec  1 11:32:47 2016 -> /var/spool/exim4/scan/1cCOfW-0007QY-DV/
1cCOfW-0007QY-DV.eml: 
PUA.Pdf.Trojan.EmbeddedJavaScript-1(79c2e679cf8af9fc259c00535cf9c5d0:305994) 
FOUND
Thu Dec  1 11:32:47 2016 -> ERROR: VirusEvent: fork failed.
```

Thanks for your help.
-- Mathieu
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Whitelist based on sign *and* filename?

2016-11-28 Thread Paul Kosinski 
Of course, if anybody is able to find out what the magic filename is,
they could mount a targeted attack.

How are the PDFs generated? Would it be possible to attach a
cryptographic signature to asset to their validity? (That would
probably require an additional step on receipt as well as transmission
to indicate they were OK in spite of ClamAV's red flag.)


On Mon, 28 Nov 2016 14:28:11 -
"Steve Basford"  wrote:

> 
> On Mon, November 28, 2016 1:56 pm, Mathieu D. wrote:
> > Hello,
> >
> >
> > Is there any way to whitelist a file based on it's signature *and*
> > it's filename?
> >
> Not that I know of...
> 
> I guess this *might* be an option.
> 
> 1.  Find something common in your pdf you want to "whitelist", say
> "Your company name or department", convert this to hex.
> 
> 2. Create an ign2 file to ignore the normal PUA file.
> 
> 3. Create an ldb sig, which should do the same at the current PUA
> BUT you are creating a whitelist "phrase".
> 
> eg:
> 
> Local.PUA.Script.PDF.EmbeddedJavaScript;Engine:51-255,Target:0;(0&1=0);255044462d*6f626a{-2}3c3c{-100}2f4a617661536372697074(20|28|3c);41646F6265204C6976654379636C652044657369676E65722045532031302E30
> 
> eg:
> 
> This is the hex for your phrase:
> 41646F6265204C6976654379636C652044657369676E65722045532031302E30 =
> "Adobe LiveCycle Designer ES 10.0"
> 
> So, if the pdf contains "Javascript" and "Adobe LiveCycle Designer ES
> 10.0" it won't get hit... all other pdf's with Javascript will get
> blocked.
> 
> Not ideal but at least it should work.
> 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Whitelist based on sign *and* filename?

2016-11-28 Thread Steve Basford 

On Mon, November 28, 2016 1:56 pm, Mathieu D. wrote:
> Hello,
>
>
> Is there any way to whitelist a file based on it's signature *and* it's
> filename?
>
Not that I know of...

I guess this *might* be an option.

1.  Find something common in your pdf you want to "whitelist", say "Your
company name or department", convert this to hex.

2. Create an ign2 file to ignore the normal PUA file.

3. Create an ldb sig, which should do the same at the current PUA
BUT you are creating a whitelist "phrase".

eg:

Local.PUA.Script.PDF.EmbeddedJavaScript;Engine:51-255,Target:0;(0&1=0);255044462d*6f626a{-2}3c3c{-100}2f4a617661536372697074(20|28|3c);41646F6265204C6976654379636C652044657369676E65722045532031302E30

eg:

This is the hex for your phrase:
41646F6265204C6976654379636C652044657369676E65722045532031302E30 =
"Adobe LiveCycle Designer ES 10.0"

So, if the pdf contains "Javascript" and "Adobe LiveCycle Designer ES
10.0" it won't get hit... all other pdf's with Javascript will get
blocked.

Not ideal but at least it should work.

-- 
Cheers,

Steve
Twitter: @sanesecurity

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml