Mailing List Archive

Hi there,

On Sun, 25 Apr 2021, Alex via clamav-users wrote:

> I'm using clamav with spamassassin and amavis on fedora33 and would
> like to block content based on CL_TYPE_SCRIPT, such as javascript
> within a PDF.
>
> https://www.clamav.net/documents/clamav-file-types
>
> How does this work?

It's no use looking for malicious JavaScript in a Portable Executable,
so one of ClamAV's more important functions is to determine what type
of data it's working with. It does that in more than one way, and it
seems to be pretty good at it. I don't recall ever seeing it give an
incorrect verdict. A lot of ClamAV's detections rely on signatures.
Because many signatures are written for particular kinds of data (so
it would be pointless and possibly counterproductive to use them for
other kinds) ClamAV needs to decide what kind of data it thinks it's
working with before it hands the data to the scanner. That way it's
possible to tell the scanner not to waste time on useless operations.

Having decided what you're scanning is a container (like PDF), then
trying to detect malicious code embedded in there is another issue.
In itself, detecting if JavaScript content is malicious presents some
interesting and potentially troublesome challenges.

Your subject line is "Blocking file types?" but you're using ClamAV
with SpamAssassin and Amavis so I guess that you'll be scanning mail.
If I understand your question correctly, you could create a signature

(a) which is only used for streams determined by ClamAV to contain PDF
data (type 10, see your link), and

(b) which looks for something like the string "/JS" in the PDF data.

Clearly this simple-minded specification would not distinguish between
malicious and benign scripts, and it would also risk false positives.

See e.g.

https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.369.7192&rep=rep1&type=pdf
https://logrhythm.com/blog/detecting-malicious-javascript-in-a-pdf/

and also

https://arxiv.org/pdf/1810.12490
https://www.eecis.udel.edu/~hnw/paper/dsn14.pdf
https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-xu-meng.pdf

Did I get anywhere near to answering your question?

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi,

> > I'm using clamav with spamassassin and amavis on fedora33 and would
> > like to block content based on CL_TYPE_SCRIPT, such as javascript
> > within a PDF.
> >
> > https://www.clamav.net/documents/clamav-file-types
> >
> > How does this work?
>
...
> Having decided what you're scanning is a container (like PDF), then
> trying to detect malicious code embedded in there is another issue.
> In itself, detecting if JavaScript content is malicious presents some
> interesting and potentially troublesome challenges.

Yes, understood - I'm looking to block all PDFs that contain
javascript, malicious or otherwise.

> Your subject line is "Blocking file types?" but you're using ClamAV
> with SpamAssassin and Amavis so I guess that you'll be scanning mail.
> If I understand your question correctly, you could create a signature
>
> (a) which is only used for streams determined by ClamAV to contain PDF
> data (type 10, see your link), and
>
> (b) which looks for something like the string "/JS" in the PDF data.
>
> Clearly this simple-minded specification would not distinguish between
> malicious and benign scripts, and it would also risk false positives.

Yes, and your resources were very helpful, but the clamav instructions
for building a signature appear to rely on there being an existing
file. I have a few PDFs that include javascript, but I don't want to
build a signature for them specifically, but more generally for those
that simply contain javascript.

> Did I get anywhere near to answering your question?

Yes, and very appreciative, as always.

Thanks,
Alex

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Sun, 25 Apr 2021, Alex via clamav-users wrote:

> ... the clamav instructions for building a signature appear to rely
> on there being an existing file.

If you mean piping a file through 'sigtool' to get a hexadecimal
representation, that's just one way to do it. You can also write
signatures by 'dead reckoning', see

man ascii

and

man hexdump

for examples of utilities which might be useful. You're just going to
create regular expressions of a kind, where (unlike the familiar kind)
literal characters are given in hexadecimal instead of as themselves.

The regex way: (A|B)C{1,3}\x01
Signature way: (41|42)43{1-3}01

There's also the Yara way, which can be more convenient. A couple of
custom Yara rules here deals with quite a few irritating spammers who
might otherwise be tricky to catch reliably.

You might find something to get you started in the existing signatures.

HTH

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi,

> for examples of utilities which might be useful. You're just going to
> create regular expressions of a kind, where (unlike the familiar kind)
> literal characters are given in hexadecimal instead of as themselves.
>
> The regex way: (A|B)C{1,3}\x01
> Signature way: (41|42)43{1-3}01
>
> There's also the Yara way, which can be more convenient. A couple of
> custom Yara rules here deals with quite a few irritating spammers who
> might otherwise be tricky to catch reliably.
>
> You might find something to get you started in the existing signatures.

I managed to do it quite easily using a simple yara rule. Just create
it in a text editor and save it with a yara extension in the clamav
lib directory. I'm sure this is prone to false-positives, but it's
probably unique enough for this purpose.

rule javablock : javascript
{
meta:
description = "block javascript"
threat_level = 3
in_the_wild = true

strings:
$a = "/JS"
$b = "<</JavaScript 330 0 R>>"

condition:
$a or $b
}


$ clamscan -v JavaScriptClock.pdf
Scanning /home/alex/JavaScriptClock.pdf
/home/alex/JavaScriptClock.pdf: YARA.javablock.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Known viruses: 8718308
Engine version: 0.103.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 5.31 MB
Data read: 4.98 MB (ratio 1.07:1)
Time: 14.863 sec (0 m 14 s)
Start Date: 2021:04:26 20:34:09
End Date: 2021:04:26 20:34:24

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml