[clamav-users] xlsm files

G.W. Haywood clamav at jubileegroup.co.uk
Tue Dec 22 23:34:52 UTC 2020 

Hi there,

On Tue, 22 Dec 2020, Joe Acquisto-j4 wrote:

> ...  "Please open" sort of messages.

These are extremely common.  They aren't all xlsm attachments but it's
quite ususal for them to contain malicious macros - generally aimed at
Windows boxes, but you must never be complacent even on Linux.

> ... ClamAV does not detect any evil thing-lets ... other AV products
> ... do not detect anything either.

AV products will very rarely catch more than three out of four threats
and one in three is my rule of thumb.  That means I expect the scanner
to miss two out of three threats.  Since I typically see thousands of
attacks per month I'd be foolish to rely on AV to protect my systems.

> So, why do I worry?

Because you're right to worry.  Why do I scan? :)

Essentially I stop a lot of spam with the third-party signatures, but
I always want to know more.  It's interesting to see what gets missed.

> Am I deluded as to the potential danger or have I simply failed to
> properly inform the AV products, ClamAV specifically, to inspect
> these files properly?  Or, must I add additional (signature?)
> packages I am not aware of?

No, you're not deluded.  The trouble is it's a moving target and in my
view the best way of defending against these threats is "nuke 'em from
orbit, it's the only way to be sure".  So anything that arrives here
with any attachment gets short shrift if it's not expected, and if it
is expected it gets looked at carefully.  If you try to stop evrything
with signatures etc.

It's pretty easy to filter out anything with an attachment, and with a
bit of perspiration you can be quite selective about it.  None of that
need rely on ClamAV, but to stop all the junk you've mentioned you can
write simple Yara rules and drop them in the ClamAV database directory.

Here's an example file.  Call it 'something.yara', put it in the ClamAV
database directory, reload clamd if it's running, see what it does.

8<----------------------------------------------------------------------
rule My_Spam_Rule // block some random spam
{
         strings:
                 $gmatcha = /\r\nSubject:[\W\w]*B2B marketing/   nocase ascii
                 $gmatchb = /\r\nSubject:[\W\w]*Free SEO Audit/  nocase ascii
                 $gmatchc = "Summ Now"                           nocase ascii
         condition:
                 $gmatcha or $gmatchb or $gmatchc
}
8<----------------------------------------------------------------------

Modifying it to catch a string in the mail body which talks about an
xlsm file is left as an exercise for the reader.

-- 

73,
Ged.

More information about the clamav-users mailing list