[clamav-users] Sig writing advice - complex matching in a PDF
Kris Deugau
kdeugau at vianet.ca
Fri Jun 18 20:53:21 UTC 2021
I have a phishy PDF.
I want to match a string I've extracted from one of the files left by
clamscan --leave-temps, but ONLY if the outermost file being scanned is
a PDF.
The string on its own is just generic enough I don't want to rely on it
alone, so I want to limit matching to PDF files.
In theory, according to the sig-writing document, this means that this:
MySig:10:*:[pattern]
should work.
It doesn't.
MySig:0:*:[pattern] matches just fine, but it's going to match on any file.
MySig:0:0:255044462d312e350d0a*[pattern] doesn't match, because the PDF
header lead and the phishy string are not present in the same file
subcomponent, and the phishy string is not visible in the raw file.
Revising for a logical signature works with just the pattern:
MySig;Target:0;0;[pattern]
but not:
Mysig;Target:10;0;[pattern]
or
MySig;Container:CL_TYPE_PDF,Target:0;[pattern]
or
MySig;Target:0;0&1;255044462d312e350d0a;[pattern]
(never mind the fact that there doesn't seem to be a way to anchor
subsig 0 to the beginning of the file, which means the whole thing can
match other files that happen to embed a PDF header lead)
Attempts with a Yara signature fail much the same way.
Can anyone point me in the right direction?
-kgd
More information about the clamav-users
mailing list