Hi there, On Sun, 25 Apr 2021, Alex via clamav-users wrote:
I'm using clamav with spamassassin and amavis on fedora33 and would like to block content based on CL_TYPE_SCRIPT, such as javascript within a PDF. https://www.clamav.net/documents/clamav-file-types How does this work?
It's no use looking for malicious JavaScript in a Portable Executable, so one of ClamAV's more important functions is to determine what type of data it's working with. It does that in more than one way, and it seems to be pretty good at it. I don't recall ever seeing it give an incorrect verdict. A lot of ClamAV's detections rely on signatures. Because many signatures are written for particular kinds of data (so it would be pointless and possibly counterproductive to use them for other kinds) ClamAV needs to decide what kind of data it thinks it's working with before it hands the data to the scanner. That way it's possible to tell the scanner not to waste time on useless operations. Having decided what you're scanning is a container (like PDF), then trying to detect malicious code embedded in there is another issue. In itself, detecting if JavaScript content is malicious presents some interesting and potentially troublesome challenges. Your subject line is "Blocking file types?" but you're using ClamAV with SpamAssassin and Amavis so I guess that you'll be scanning mail. If I understand your question correctly, you could create a signature (a) which is only used for streams determined by ClamAV to contain PDF data (type 10, see your link), and (b) which looks for something like the string "/JS" in the PDF data. Clearly this simple-minded specification would not distinguish between malicious and benign scripts, and it would also risk false positives. See e.g. https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.369.7192&rep=rep1&type=pdf https://logrhythm.com/blog/detecting-malicious-javascript-in-a-pdf/ and also https://arxiv.org/pdf/1810.12490 https://www.eecis.udel.edu/~hnw/paper/dsn14.pdf https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-xu-meng.pdf Did I get anywhere near to answering your question? -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
