I have a phishy PDF.
I want to match a string I've extracted from one of the files left by
clamscan --leave-temps, but ONLY if the outermost file being scanned is
a PDF.
The string on its own is just generic enough I don't want to rely on it
alone, so I want to limit matching to PDF files.
In theory, according to the sig-writing document, this means that this:
MySig:10:*:[pattern]
should work.
It doesn't.
MySig:0:*:[pattern] matches just fine, but it's going to match on any file.
MySig:0:0:255044462d312e350d0a*[pattern] doesn't match, because the PDF
header lead and the phishy string are not present in the same file
subcomponent, and the phishy string is not visible in the raw file.
Revising for a logical signature works with just the pattern:
MySig;Target:0;0;[pattern]
but not:
Mysig;Target:10;0;[pattern]
or
MySig;Container:CL_TYPE_PDF,Target:0;[pattern]
or
MySig;Target:0;0&1;255044462d312e350d0a;[pattern]
(never mind the fact that there doesn't seem to be a way to anchor
subsig 0 to the beginning of the file, which means the whole thing can
match other files that happen to embed a PDF header lead)
Attempts with a Yara signature fail much the same way.
Can anyone point me in the right direction?
-kgd
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
I want to match a string I've extracted from one of the files left by
clamscan --leave-temps, but ONLY if the outermost file being scanned is
a PDF.
The string on its own is just generic enough I don't want to rely on it
alone, so I want to limit matching to PDF files.
In theory, according to the sig-writing document, this means that this:
MySig:10:*:[pattern]
should work.
It doesn't.
MySig:0:*:[pattern] matches just fine, but it's going to match on any file.
MySig:0:0:255044462d312e350d0a*[pattern] doesn't match, because the PDF
header lead and the phishy string are not present in the same file
subcomponent, and the phishy string is not visible in the raw file.
Revising for a logical signature works with just the pattern:
MySig;Target:0;0;[pattern]
but not:
Mysig;Target:10;0;[pattern]
or
MySig;Container:CL_TYPE_PDF,Target:0;[pattern]
or
MySig;Target:0;0&1;255044462d312e350d0a;[pattern]
(never mind the fact that there doesn't seem to be a way to anchor
subsig 0 to the beginning of the file, which means the whole thing can
match other files that happen to embed a PDF header lead)
Attempts with a Yara signature fail much the same way.
Can anyone point me in the right direction?
-kgd
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml