[clamav-users] Signature specifics (was Re: Malware/ransomware and Yara signatures with clamav)

[Kris Deugau]

Cedric Knight wrote:

> Devs - is it possible to block PDFs based on containing '/JavaScript'
> and '/OpenAction' (or '/Launch')?  I wish ClamAV has a hierarchy from
> definite signatures first to secondly checking heuristics...

Not a ClamAV developer, but yes, you can create a signature for this.

You don't really want to do this, because you *will* block legitimate 
PDFs.  Speaking from experience.  :(

-kgd