[clamav-users] Probable false positive *.xlsm - Win.Trojan.Toa-5368540-0

Thu Dec 29 09:15:13 UTC 2016

Am 29.12.2016 um 07:30 schrieb demonhunter:
> Samples can be easily generated by creating a blank Word or Excel document, creating an empty macro module with a single empty subroutine, and saving the Word/Excel file as a .docm or .xlsm file. Scanning one of these brand new files against a saved copy of the signature shows that it matches (implying that all or nearly all modern Office 2007+ files containing VBA macros would have matched this rule):

yeah, but only the docm/xlsm and frankly on a sane inbound mailserver 
you reject them unconditional - i have even seen servers in the wild 
rejecting xls/doc and use xlsx/docx because they *could* contain macros 
to keep all the crypto malware out of the house

signatures where and will be always too late for the last recent malware 
and hence in 2016 macros and executeables don't belong into emails at all