[clamav-users] ScanOLE2 yes disables macro virus detection
Steve Basford
steveb_clamav at sanesecurity.com
Sun Feb 7 12:37:07 UTC 2016
On Sun, February 7, 2016 8:30 am, David Shrimpton wrote:
> Hi,
>
>
> But most of the badmacro or other unofficial virus signatures written to
> detect macro virus are written against the container itself which has the
> compressed macro code in it. They are not written against the
> uncompressed macro code, so setting ScanOLE2 yes will disable these
> signatures.
Hi David,
Just doing a *very* quick look:
Using badmacro.ndb and either ScanOLE2 no (clamd.conf) *or* using
--scan-ole2=no (clamscan) still result in the bad work document being
detected...
clamscan --database=badmacro.ndb *.doc --scan-ole2=no
Copy_100_of_imex.prcl.I806015.doc:
Sanesecurity.Badmacro.Doc.CreObj.UNOFFICIAL FOUND
Copy_101_of_imex.prcl.I806015.doc:
Sanesecurity.Badmacro.Doc.CreObj.UNOFFICIAL FOUND
Well, at least that's what I'm seeing here...
> These viruses are completely missed when ScanOLE2 is yes , no matter what
> signature you write, as the non macro files in the OLE2 container are not
> scanned and the scanned files ie the uncompressed macro vba code, don't
> contain the malicious code.
Can you scan these viruses with badmacro.ndb with --scan-ole2=no and
--scan-ole2=yes... are they detected?
If the document malware you have isn't detected by badmacro.ndb or
phish.ndb then please send me a sample... and I'll check...
http://sanesecurity.org/hesk/
Cheers,
Steve
Web : sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity
More information about the clamav-users
mailing list