[clamav-users] What does TargetType 10 for a signature mean ?
David Shrimpton
d.shrimpton at its.uq.edu.au
Sun Feb 28 14:20:18 UTC 2016
Hi,
I wrote a signature against one of the temporary files clamav
pulled out of a pdf when --scan-pdf=yes.
(The signature does not hit when --scan-pdf=no.)
If the signature is TargetType 10 = PDF it was not hit.
If it was type 0 = any file, it was hit. But it would also be hit
by other files not related to the pdf eg text or html,
which I don't want. I only want to match
files pulled out of a pdf by --scan-pdf.
(clamav --debug reports the file from the pdf as ascii , but Target Type 7
for normalized ascii file does not work.)
This is similar confusion to what type 2 means.
signatures.pdf says type 2 is file inside an OLE2 container but it actually
appears to denote an OLE2 container itself and not a file inside one
unless that file is itself an OLE2 container.
It seems to me that having additional types may be helpful: eg any file inside an OLE2 or any 'file' inside a pdf in addition to type 2 and 10.
PS it appears -z does not work when there is a hit on a 'file' inside a
PDF. Other signatures that match the pdf itself are not reported as being
hit. This is a similar problem to -z not working when there are hits on macros
inside OLE2 or a hit on Heuristics.OLE2.ContainsMacros.
--
David Shrimpton
More information about the clamav-users
mailing list