Linux – ClamAV signature to ban office documents with macros

clamavlinux

We are using custom signatures for ClamAV database to ban some types of files when they're attached to one email.

This it's done using clamd and clamassassin with procmail.

We're looking to add a rule in our custom rules for ClamAV to ban emails which have excel/word/powerpoint documents with macros.

Best Answer

Starting from ClamAV version 0.99 it supports Yara rules.

So we can use a Yara rule to detect this type of files.

Create a file into your ClamAv library (On Ubuntu it's on /var/lib/clamav/) called as example yara_officemacros.yar

Edit it and write inside this code:

rule office_macro
{
    meta:
        description = "M$ Office document containing a macro"
        thread_level = 1
        in_the_wild = true
    strings:
        $a = {d0 cf 11 e0}
        $b = {00 41 74 74 72 69 62 75 74 00}
    condition:
        $a at 0 and $b
}

Save the file and restart clamd, and you're done ;-)

Best Answer

Related Solutions

Linux – How to scan multiple directories with clamav

Nginx – Integrating ClamAV with NGINX

Related Topic