[clamav-users] password protected encrypted .docx files
Mark Foley
mfoley at novatec-inc.com
Wed Nov 15 18:09:28 UTC 2017
On Wed, 15 Nov 2017 18:37:36 +0100 (CET) Kees Theunissen <C.J.Theunissen at differ.nl> wrote:
>
> On Wed, 15 Nov 2017, Mark Foley wrote:
>
> >On Wed 15 Nov 2017 01:14:00 -0800 Al Varnell <alvarnell at mac.com> wrote:
> >
> >>On Tue, Nov 14, 2017 at 07:45 AM, Mark Foley wrote:
> >>> I found this older message in the archives. I'm receiving a lot of fake
> >>> "Invoice" messages with attached encrypted .doc files that run VB scripts and
> >>> execute .exe files.
> >>>
> >>> I'd like to block encrypted Word documents. Interestingly, as Reindl Harald
> >>> says, ".docx files *are* zip files", but lately I've been getting .doc files
> >>> which are really .docx file. KDE Dolphin isn't deceived and opens the
> >>> attachment as an archive, but Word in WIN7 goes ahead and opens it as a
> >>> document. If I rename the document to .docx, then Dolphin opens it in
> >>> LibreOffice.
> >>>
> >>> So, will ArchiveblockEncrypted work on .doc files too? I.e. is clamav smart
> >>> enough to look beyond the extension?
> >>
> >> In general, yes, clamAV doesn't pay attention to extensions and looks for
> >> document signatures that are usually at the top of a file to determine
> >> file type. That being said, I can't confirm exactly how it handles .doc and .docx files.
> >>
> >
> >Thanks Al. I'll turn this on and experiment. I'll post back my findings.
> >
> >Does anyone have exerience with this?
>
> I did a few tests some time ago. The encryption/protection
> is implemented by microsoft as a internal format somewhere in
> the office document structure, _not_ as a encrypted zip file.
>
> So ArchiveblockEncrypted won't block encrypted Word documents.
>
>
> Regards,
>
> Kees Theunissen.
>
> --
> Kees Theunissen, System and network manager, Tel: +31 (0)40-3334724
> Dutch Institute For Fundamental Energy Research (DIFFER)
> e-mail address: C.J.Theunissen at differ.nl
> postal address: PO Box 6336, 5600 HH, Eindhoven, the Netherlands
> visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands
Ah! Bummer. I thought that might be the case.
Did you ever find a way to identify an encrypted .doc[x] file?
--Mark
More information about the clamav-users
mailing list