[clamav-users] Whitelisting extensions for virus scan

[Kris Deugau]

Tilman Schmidt wrote:
> Am 29.10.18 um 17:33 schrieb Kris Deugau:
>> Tilman Schmidt wrote:
>>> Am 26.10.18 um 15:34 schrieb Johnny Time:
>>>> For exemple, we wanted to authorize only a white list which contains
>>>> *.doc,*.xls,*.pdf and ban the others extensions.
>>>
>>> Surely you meant to write "*.docx,*.xlsx,*.pdf"?
>>> *.doc and *.xls are the old, malware-prone MS-Office filetypes.
>>> You don't want to let those pass, at least not without rigorous
>>> examination.
>>
>> In my experience, the new ones aren't any better.
> 
> The "*m" ones (with macros) certainly aren't, but the "*x" ones (without
> macros) have so far never caused any trouble at our site.
> So we put mails with *.doc, *.xls, *.docm and *.xlsm attachments in
> quarantine, only releasing them upon request after manual inspection,
> but let *.docx and *.xlsx pass if the ClamAV scan turns up clean.

I don't care enough to dig up what the formal spec (such as may exist) 
for these files is, but I see a regular trickle of .docx and a handful 
of .xlsx files that pop up a warning in OpenOffice about macros.  I 
don't think I've seen any .docm or .xlsm for a while.

Personally I'd be quite happy to ban them all outright, but customers 
get a little grouchy when they can't send or receive documents to their 
contacts...

We scan them all, quarantine the ones that hit a signature, add local 
signatures as malicious examples get reported, use a handful of 
third-party signatures, and advise customers to make sure they keep an 
up-to-date antivirus package on their system - if only to make sure 
they're also protected against non-email malware.

-kgd