[clamav-users] signature for cve2017-11882

[G.W. Haywood]

Hi there,

On Sat, 27 Mar 2021, Jigar via clamav-users wrote:

> In the first week of March 2021, multiple users had received email
> with xlsx attachment having exploit for CVE-2017-11882. The clamav
> could not detect it but other antivirus like eScan and ESET could
> detect it as malware threat.

Signatures exist for at least some exploits of CVE-2017-11882.  Looking
at the signatures in my current ClamAV database:

$ grep -as CVE-2017-11882 * | cut -d';' -f1
MiscreantPunch099-Low.ldb:MiscreantPunch.RTF.EvilRTF.CVE-2017-11882.M2
MiscreantPunch099-Low.ldb:MiscreantPunch.RTF.EvilRTF.CVE-2017-11882.M3
MiscreantPunch099-Low.ldb:MisreantPunch.EvilDoc.CVE-2017-11882.M9
MiscreantPunch099-Low.ldb:MiscreantPunch.EvilDoc.CVE-2017-11882.M10
MiscreantPunch099-Low.ldb:MiscreantPunch.EvilDoc.RTF-CVE-2017-11882.Template.180412.M2
porcupine.hsb:58cbe7516369d9e79660bda6e576cffd:2738688:Porcupine.Win32.Exploit.CVE-2017-11882.C.99928:73
porcupine.hsb:5cc0bfe9a8528b1deb2dcaa7691b1794:2621952:Porcupine.Win32.Exploit.CVE-2017-11882.C.100063:73
porcupine.hsb:140aade63d9cd5cb747845101df9ff85:2395136:Porcupine.Win32.Exploit.CVE-2017-11882.C.100065:73
porcupine.hsb:0db8aceb5fdf7f22bc31682726c5b071:883200:Porcupine.Win32.Exploit.CVE-2017-11882.C.99936:73
porcupine.hsb:652fa43a2f71cab80126efc843a98d84:84891:Porcupine.Win32.Exploit.CVE-2017-11882.C.99924:73

This is a rather old CVE, what databases do you use for your ClamAV
installation?  Perhaps what you have seen recently is a new threat
which has been engineered to avoid some of the existing signatures.

> We also need guidance:
>
> 1. How to identify the correct file to generate the generic signature,
> especially if files with different name but same exploit has been sent.

I do not understand the question, but ClamAV looks at a stream of data
or at the contents of files.  Except for the purposes of reporting to
you the results of scanning the files, the names of those files are of
no significance to ClamAV.

-- 

73,
Ged.