Hi, > > I'm using clamav with spamassassin and amavis on fedora33 and would > > like to block content based on CL_TYPE_SCRIPT, such as javascript > > within a PDF. > > > > https://www.clamav.net/documents/clamav-file-types > > > > How does this work? > ... > Having decided what you're scanning is a container (like PDF), then > trying to detect malicious code embedded in there is another issue. > In itself, detecting if JavaScript content is malicious presents some > interesting and potentially troublesome challenges.
Yes, understood - I'm looking to block all PDFs that contain javascript, malicious or otherwise. > Your subject line is "Blocking file types?" but you're using ClamAV > with SpamAssassin and Amavis so I guess that you'll be scanning mail. > If I understand your question correctly, you could create a signature > > (a) which is only used for streams determined by ClamAV to contain PDF > data (type 10, see your link), and > > (b) which looks for something like the string "/JS" in the PDF data. > > Clearly this simple-minded specification would not distinguish between > malicious and benign scripts, and it would also risk false positives. Yes, and your resources were very helpful, but the clamav instructions for building a signature appear to rely on there being an existing file. I have a few PDFs that include javascript, but I don't want to build a signature for them specifically, but more generally for those that simply contain javascript. > Did I get anywhere near to answering your question? Yes, and very appreciative, as always. Thanks, Alex _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml