[clamav-users] Detecting Word docs with macros
steveb_clamav at sanesecurity.com
Mon Dec 10 10:17:24 EST 2018
On Mon, December 10, 2018 2:58 pm, Eric Tykwinski wrote:
> Default clam sigs obviously are not catching these, but wondering if
> anyone has them included in a third party that rather FP friendly.
> I also just tested a yara from here, and it seems to work, but not
> certain about FPs from it either.
Sanesecurity badmacro.ndb and phish.ndb and rogue.hdb will pretty much
cover a lot of those... MiscreantPunch099-Low.ldb for additional detection
but can hit scanning performance.
ClamAV settings in clamd.conf can also be tweaked to block documents with
macro and or passwords.
More information about the clamav-users