[clamav-users] Signature specifics (was Re: Malware/ransomware and Yara signatures with clamav)
Matthew Molyett
mmolyett at sourcefire.com
Tue May 16 17:41:58 UTC 2017
To follow up on what Kris said, yes you can create rules like this. We are
unable to publish such broad rules in the official signatures because of
the FPs that it will cause, but you are able to determine what should be
blocked within your individual environment.
PDFs with JavaScript, documents with macros, zips containing JS files...
these are all examples that are too broad for official signatures, but are
absolutely detectable through ClamAV signatures.
If your environment allows it, by all means go ahead and kill it with fire.
On Mon, May 15, 2017 at 11:22 AM, Kris Deugau <kdeugau at vianet.ca> wrote:
> Cedric Knight wrote:
>
> Devs - is it possible to block PDFs based on containing '/JavaScript'
>> and '/OpenAction' (or '/Launch')? I wish ClamAV has a hierarchy from
>> definite signatures first to secondly checking heuristics...
>>
>
> Not a ClamAV developer, but yes, you can create a signature for this.
>
> You don't really want to do this, because you *will* block legitimate
> PDFs. Speaking from experience. :(
>
> -kgd
> _______________________________________________
> clamav-users mailing list
> clamav-users at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
--
Matthew Molyett
Malware Researcher
mmolyett at cisco.com
Phone: (410) 309-4834
Mobile: (410) 674-2049
Cisco.com - http://www.cisco.com
This email may contain confidential and privileged material for the sole
use of the intended recipient. Any review, use, distribution or disclosure
by others is strictly prohibited. If you are not the intended recipient (or
authorized to receive for the recipient), please contact the sender by
reply email and delete all copies of this message.
For corporate legal information go to:
http://www.cisco.com/web/about/doing_business/legal/cri/index.html
More information about the clamav-users
mailing list