Hi, > for examples of utilities which might be useful. You're just going to > create regular expressions of a kind, where (unlike the familiar kind) > literal characters are given in hexadecimal instead of as themselves. > > The regex way: (A|B)C{1,3}\x01 > Signature way: (41|42)43{1-3}01 > > There's also the Yara way, which can be more convenient. A couple of > custom Yara rules here deals with quite a few irritating spammers who > might otherwise be tricky to catch reliably. > > You might find something to get you started in the existing signatures.
I managed to do it quite easily using a simple yara rule. Just create it in a text editor and save it with a yara extension in the clamav lib directory. I'm sure this is prone to false-positives, but it's probably unique enough for this purpose. rule javablock : javascript { meta: description = "block javascript" threat_level = 3 in_the_wild = true strings: $a = "/JS" $b = "<</JavaScript 330 0 R>>" condition: $a or $b } $ clamscan -v JavaScriptClock.pdf Scanning /home/alex/JavaScriptClock.pdf /home/alex/JavaScriptClock.pdf: YARA.javablock.UNOFFICIAL FOUND ----------- SCAN SUMMARY ----------- Known viruses: 8718308 Engine version: 0.103.2 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 5.31 MB Data read: 4.98 MB (ratio 1.07:1) Time: 14.863 sec (0 m 14 s) Start Date: 2021:04:26 20:34:09 End Date: 2021:04:26 20:34:24 _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml