[clamav-users] Detecting Word docs with macros

Steve Basford steveb_clamav at sanesecurity.com
Mon Dec 10 10:17:24 EST 2018


On Mon, December 10, 2018 2:58 pm, Eric Tykwinski wrote:
> Default clam sigs obviously are not catching these, but wondering if
> anyone has them included in a third party that rather FP friendly.
>
> I also just tested a yara from here, and it seems to work, but not
> certain about FPs from it either.
>
Sanesecurity badmacro.ndb and phish.ndb and rogue.hdb will pretty much
cover a lot of those... MiscreantPunch099-Low.ldb for additional detection
but can hit scanning performance.

ClamAV settings in clamd.conf can also be tweaked to block documents with
macro and or passwords.


-- 
Cheers,

Steve
Twitter: @sanesecurity




More information about the clamav-users mailing list