[clamav-users] ClamAV to detect exploits for the Equation Editor vulnerability in DOC files
G.W. Haywood
clamav at jubileegroup.co.uk
Fri Jan 22 14:51:39 UTC 2021
Hi there,
On Fri, 22 Jan 2021, Chaminda Indrajith via clamav-users wrote:
> Regularly we receive DOC files which contains virus.
There are many different ways to solve your problem, but we need a lot
more information from you. How do you receive these files?
> These virus is not detected by ClamAV ...
This is not unusual. Can you let us have your ClamAV configuration?
If you're using Linux it's simplest to send the ouptut of
clamconf -n
but please tell us more about your ClamAV installation - for example
what operating system you're using to run it. For more information
about what information will be useful see some of my previous posts
in the list archives, which can be found for example at
https://marc.info/?l=clamav-users&r=1&w=2
> #rtfobj Balance\ Sheet\ .doc
> ...
On its own this information is not particularly useful. The files you
receive do not necessarily give up that information to the scanner
without some effort, so we need to see exactly what the scanner sees.
Perhaps you can put samples somewhere (safe) on the Web for us to see.
> How can we write customized rules to detect these doc file.
You do not need to do that. You can submit the files to the ClamAV
team, and for example to one of the third parties which provide
signatures, e.g. Sanesecurity or Securiteinfo. If you submit samples,
then in addition to solving your own problem you also provide a useful
service to the community:
https://www.clamav.net/contact
If you do want to do write your own signatures you should read the
documentation. You could for example start with
https://www.clamav.net/documents/creating-signatures-for-clamav
but you might find it easier to deploy Yara rules:
https://www.clamav.net/documents/using-yara-rules-in-clamav
You need to tell us more about how you are using ClamAV. In my first
question I asked you how you receive the malicious files. If it's by
email then you might want to use ClamAV to filter the incoming mail
messages. There are several ways to do that, but I won't go into it
until I know a little more about how you're receiving the files.
--
73,
Ged.
More information about the clamav-users
mailing list