[clamav-users] Blocking file types?
Alex
mysqlstudent at gmail.com
Tue Apr 27 00:41:54 UTC 2021
Hi,
> for examples of utilities which might be useful. You're just going to
> create regular expressions of a kind, where (unlike the familiar kind)
> literal characters are given in hexadecimal instead of as themselves.
>
> The regex way: (A|B)C{1,3}\x01
> Signature way: (41|42)43{1-3}01
>
> There's also the Yara way, which can be more convenient. A couple of
> custom Yara rules here deals with quite a few irritating spammers who
> might otherwise be tricky to catch reliably.
>
> You might find something to get you started in the existing signatures.
I managed to do it quite easily using a simple yara rule. Just create
it in a text editor and save it with a yara extension in the clamav
lib directory. I'm sure this is prone to false-positives, but it's
probably unique enough for this purpose.
rule javablock : javascript
{
meta:
description = "block javascript"
threat_level = 3
in_the_wild = true
strings:
$a = "/JS"
$b = "<</JavaScript 330 0 R>>"
condition:
$a or $b
}
$ clamscan -v JavaScriptClock.pdf
Scanning /home/alex/JavaScriptClock.pdf
/home/alex/JavaScriptClock.pdf: YARA.javablock.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Known viruses: 8718308
Engine version: 0.103.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 5.31 MB
Data read: 4.98 MB (ratio 1.07:1)
Time: 14.863 sec (0 m 14 s)
Start Date: 2021:04:26 20:34:09
End Date: 2021:04:26 20:34:24
More information about the clamav-users
mailing list