[clamav-users] Rule for false extension rtf
Micah Snyder (micasnyd)
micasnyd at cisco.com
Wed Jul 10 18:00:53 UTC 2019
ClamAV doesn't have the ability at present to signature on scan target filenames, with exception to names of files in archives. ClamAV uses the filenames a little more in 0.101+, but historically the scanning engine hasn't had access to filenames, only file content.
Micah
On 7/10/19, 3:05 AM, "clamav-users on behalf of Dave Howe via clamav-users" <clamav-users-bounces at lists.clamav.net on behalf of clamav-users at lists.clamav.net> wrote:
On 10/07/2019 07:59, Virgo Pärna via clamav-users wrote:
> Lately there have been several malware rtf files with doc
> extension, that I have received by e-mail and that are not immediately
> recognized by clamav. From virustotal scan they appear to be RTF bug
> exploits.
> Since clamav has special type support for rtf, would it be
> possible to write custom rule to block rtf files with doc extension?
Noting I often rename rtf files to doc - because when someone insists on
a "word doc" and you send them a .rtf, when they complain you sent them
the "wrong thing" you are in a lose/lose situation (if you correct them,
they resent it, if you don't, they think you did something wrong)
_______________________________________________
clamav-users mailing list
clamav-users at lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
More information about the clamav-users
mailing list