[clamav-users] password protected encrypted .docx files

Al Varnell alvarnell at mac.com
Wed Nov 15 09:14:00 UTC 2017 

On Tue, Nov 14, 2017 at 07:45 AM, Mark Foley wrote:
> I found this older message in the archives. I'm receiving a lot of fake
> "Invoice" messages with attached encrypted .doc files that run VB scripts and
> execute .exe files.
> 
> I'd like to block encrypted Word documents.  Interestingly, as Reindl Harald
> says, ".docx files *are* zip files", but lately I've been getting .doc files
> which are really .docx file.  KDE Dolphin isn't deceived and opens the
> attachment as an archive, but Word in WIN7 goes ahead and opens it as a
> document.  If I rename the document to .docx, then Dolphin opens it in
> LibreOffice. 
> 
> So, will ArchiveblockEncrypted work on .doc files too? I.e. is clamav smart
> enough to look beyond the extension?

In general, yes, clamAV doesn't pay attention to extensions and looks for document signatures that are usually at the top of a file to determine file type. That being said, I can't confirm exactly how it handles .doc and .docx files.

-Al-

> Will ArchiveblockEncrypted block *ALL* encrypted archives including zip?
> 
> Finally, Dino Edwards wrote:
> 
>> Yes, it is - you can turn ArchiveBlockEncrypted off in clamd.conf (it's off by default)
> 
> Is that a typeo? Did he mean "you can turn ArchiveBlockEncrypted on in
> clamd.conf"? Seems like turning this "off" would NOT block encrypted files.
> 
> THX --Mark
> 
> -----Original Message-----
>> Date: Wed, 5 Apr 2017 21:19:47 +0200
>> From: Reindl Harald <h.reindl at thelounge.net <mailto:h.reindl at thelounge.net>>
>> 
>> technically .docx *are* zip files
>> 
>> Am 05.04.2017 um 21:08 schrieb Dino Edwards:
>>> Didn't realize the ArchiveblockEncrypted included MS Word files. I thought it would be for password protected zip rar and such
>>> 
>>> -----Original Message-----
>>> From: clamav-users [mailto:clamav-users-bounces at lists.clamav.net <mailto:clamav-users-bounces at lists.clamav.net>] On Behalf Of Benny Pedersen
>>> Sent: Wednesday, April 5, 2017 11:22 AM
>>> To: clamav-users at lists.clamav.net <mailto:clamav-users at lists.clamav.net>
>>> Subject: Re: [clamav-users] password protected encrypted .docx files
>>> 
>>> Dino Edwards skrev den 2017-04-05 16:48:
>>>> Any way to get clamav to block password protected Microsoft word files?
>>> 
>>> Yes, it is - you can turn ArchiveBlockEncrypted off in clamd.conf (it's off by default)
>>> 
>>> if not working pastebin your clamconf (clamav section only) 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3569 bytes
Desc: not available
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20171115/5d85189e/attachment.bin>

More information about the clamav-users mailing list