% sigtool -f CVE_2022_30190-|sigtool --decode-sigs
VIRUS NAME: Win.Exploit.CVE_2022_30190-9951234-1
TDB: Engine:96-255,Container:CL_TYPE_OOXML_WORD,Target:7
LOGICAL EXPRESSION: 0&1&2
* SUBSIG ID 0
+-> OFFSET: 0
+-> SIGMOD: NOCASE
+-> DECODED SUBSIGNATURE:
<?xml {WILDCARD_ANY_STRING}<relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NOCASE
+-> DECODED SUBSIGNATURE:
targetmode="external"
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NOCASE
+-> DECODED SUBSIGNATURE:
target="{WILDCARD_ANY_STRING(LENGTH<=9)}http{WILDCARD_ANY_STRING(LENGTH<=100)}.html!

VIRUS NAME: Win.Exploit.CVE_2022_30190-9951407-0
TDB: Engine:96-255,Container:CL_TYPE_OOXML_XL,Target:7
LOGICAL EXPRESSION: 0&1&2
* SUBSIG ID 0
+-> OFFSET: 0
+-> SIGMOD: NOCASE
+-> DECODED SUBSIGNATURE:
<?xml {WILDCARD_ANY_STRING}<relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NOCASE
+-> DECODED SUBSIGNATURE:
targetmode="external"
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NOCASE
+-> DECODED SUBSIGNATURE:
target="{WILDCARD_ANY_STRING(LENGTH<=8)}http{WILDCARD_ANY_STRING(LENGTH<=100)}.html!

-Al-

On Jun 9, 2022, at 5:16 AM, Vangelis Katsikaros via clamav-users <clamav-users@lists.clamav.net> wrote:

Hi

I am not a security person so I apologize if the question sounds stupid. I'd like to ask if there is a signature in the clamav DB to recognise Microsoft word documents affected by the "Follina" - CVE-2022-30190 remote code execution vulnerability.

Regards
Vangelis
_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users

Help us build a comprehensive ClamAV guide:
https://github.com/Cisco-Talos/clamav-documentation

https://docs.clamav.net/#mailing-lists-and-chat