Le lundi 28 novembre 2016, 14:28:11 CET Steve Basford a écrit : > I guess this *might* be an option.
Thanks for your reply and this idea. > 1. Find something common in your pdf you want to "whitelist", say "Your > company name or department", convert this to hex. Let's say "My Safe PDF" → "4d79205361666520504446". (and "/JavaScript" → "2f4a617661536372697074") > 2. Create an ign2 file to ignore the normal PUA file. In "/var/lib/clamav/safe_pdf.ign2": ``` PUA.Script.PDF.EmbeddedJavaScript ``` > 3. Create an ldb sig, which should do the same at the current PUA > BUT you are creating a whitelist "phrase". > > eg: > > Local.PUA.Script.PDF.EmbeddedJavaScript;Engine:51-255,Target:0;(0&1=0);25504 > 4462d*6f626a{-2}3c3c{-100}2f4a617661536372697074(20|28|3c);41646F6265204C697 > 6654379636C652044657369676E65722045532031302E30 How is this line actually generated? I tried in "/var/lib/clamav/safe_pdf.ldb" this line: ``` Local.PUA.Script.PDF.EmbeddedJavaScript;Engine:51-255,Target:0;(0&1=0); 255044462d*6f626a{-2}3c3c{-100}2f4a617661536372697074(20|28|3c); 4d79205361666520504446 ``` But I could not get it to work. ClamAV logs says: ``` Thu Dec 1 11:32:47 2016 -> /var/spool/exim4/scan/1cCOfW-0007QY-DV/ 1cCOfW-0007QY-DV.eml: PUA.Pdf.Trojan.EmbeddedJavaScript-1(79c2e679cf8af9fc259c00535cf9c5d0:305994) FOUND Thu Dec 1 11:32:47 2016 -> ERROR: VirusEvent: fork failed. ``` Thanks for your help. -- Mathieu _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml