Hi, Could you please open a bug report at bugzilla.clamav.net? Please attach the sample(s) and signatures(s) that you are using.
I'd like to make sure this is tracked for investigation and possible code and documentation improvements. Sounds like there are some things to sort out here... Thanks, Steve On Sun, Feb 28, 2016 at 9:20 AM, David Shrimpton <d.shrimp...@its.uq.edu.au> wrote: > Hi, > > I wrote a signature against one of the temporary files clamav > pulled out of a pdf when --scan-pdf=yes. > > (The signature does not hit when --scan-pdf=no.) > > If the signature is TargetType 10 = PDF it was not hit. > > If it was type 0 = any file, it was hit. But it would also be hit > by other files not related to the pdf eg text or html, > which I don't want. I only want to match > files pulled out of a pdf by --scan-pdf. > > (clamav --debug reports the file from the pdf as ascii , but Target Type 7 > for normalized ascii file does not work.) > > This is similar confusion to what type 2 means. > > signatures.pdf says type 2 is file inside an OLE2 container but it actually > appears to denote an OLE2 container itself and not a file inside one > unless that file is itself an OLE2 container. > > It seems to me that having additional types may be helpful: eg any file > inside an OLE2 or any 'file' inside a pdf in addition to type 2 and 10. > > > PS it appears -z does not work when there is a hit on a 'file' inside a > PDF. Other signatures that match the pdf itself are not reported as being > hit. This is a similar problem to -z not working when there are hits on > macros > inside OLE2 or a hit on Heuristics.OLE2.ContainsMacros. > > -- > David Shrimpton > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
