[clamav-users] Is Doc.Packed available as PUA category?

Kris Deugau kdeugau at vianet.ca
Thu Jan 14 17:11:04 UTC 2021 

G.W. Haywood via clamav-users wrote:
> One of the reasons that malicious senders send so many malicious
> password protected documents by email is that it is not always easy
> to detect malware in them without knowledge of the password, so by
> and large scanners like ClamAV don't attempt to do it (even though
> most of the time the malicious email will include the password).
> 
> If you prevent the scanner from alerting on password protected Excel
> documents, and if your users open more or less any password protected
> Excel document which comes their way, then you will have a problem
> because they probably receive malicious documents every day.

I deal with this class of FP by disabling the FP-causing checks in the 
primary Clam instance, and enabling them in a secondary instance with a 
different set of signatures whose results are scored in SpamAssasin 
instead of treated as an absolute go/no-go result.  (Or calling ClamAV 
from a mediating layer in the mail flow that can achieve much the same 
result.)

I don't recall coming across any hits in this particular category, but 
what pushed me into this was the stream of otherwise legitimate "You 
should really know better"-ish mail from (marketing partners of) banks 
that kept triggering Heuristics.Phishing.Email.SpoofedDomain, and the 
hassle of figuring out what URL some marketroid had inventively mangled 
*this* time.

> One way to get around the problem is to educate users.  For example
> you might continue to reject such documents, and suggest your users do
> not use Excel password protection.  Microsoft password protection is
> in many cases trivially cracked, I've done it for customers when they
> have lost their passwords.  For a simple way of accessing a document
> without its password, see for example
> 
> http://www.excelsupersite.com/how-to-remove-an-excel-spreadsheet-password-in-6-easy-steps/ 
> 
> 
> which I found with a simple search and selected more or less at random.

Unfortunately that doesn't address a password-protected *document*, it 
just describes allowing changes to locked spreadsheet pages.  (IE, a 
document you can open, but to some degree can't modify.)

-kgd

More information about the clamav-users mailing list