[clamav-users] Whitelist based on sign and filename?

Thu Dec 1 10:45:27 UTC 2016

Le lundi 28 novembre 2016, 14:28:11 CET Steve Basford a écrit :
> I guess this *might* be an option.

Thanks for your reply and this idea.

> 1.  Find something common in your pdf you want to "whitelist", say "Your
> company name or department", convert this to hex.

Let's say "My Safe PDF" → "4d79205361666520504446".
(and "/JavaScript" → "2f4a617661536372697074")

> 2. Create an ign2 file to ignore the normal PUA file.

In "/var/lib/clamav/safe_pdf.ign2":
```
PUA.Script.PDF.EmbeddedJavaScript
```

> 3. Create an ldb sig, which should do the same at the current PUA
> BUT you are creating a whitelist "phrase".
> 
> eg:
> 
> Local.PUA.Script.PDF.EmbeddedJavaScript;Engine:51-255,Target:0;(0&1=0);25504
> 4462d*6f626a{-2}3c3c{-100}2f4a617661536372697074(20|28|3c);41646F6265204C697
> 6654379636C652044657369676E65722045532031302E30

How is this line actually generated?

I tried in "/var/lib/clamav/safe_pdf.ldb" this line:
```
Local.PUA.Script.PDF.EmbeddedJavaScript;Engine:51-255,Target:0;(0&1=0);
255044462d*6f626a{-2}3c3c{-100}2f4a617661536372697074(20|28|3c);
4d79205361666520504446
```

But I could not get it to work.

ClamAV logs says:
```
Thu Dec  1 11:32:47 2016 -> /var/spool/exim4/scan/1cCOfW-0007QY-DV/
1cCOfW-0007QY-DV.eml: 
PUA.Pdf.Trojan.EmbeddedJavaScript-1(79c2e679cf8af9fc259c00535cf9c5d0:305994) 
FOUND
Thu Dec  1 11:32:47 2016 -> ERROR: VirusEvent: fork failed.
```

Thanks for your help.
-- Mathieu

[clamav-users] Whitelist based on sign *and* filename?

[clamav-users] Whitelist based on sign and filename?