We are using custom signatures for ClamAV database to ban some types of files when they're attached to one email.
This it's done using clamd and clamassassin with procmail.
We're looking to add a rule in our custom rules for ClamAV to ban emails which have excel/word/powerpoint documents with macros.
Best Answer
Starting from ClamAV version 0.99 it supports Yara rules.
So we can use a Yara rule to detect this type of files.
Create a file into your ClamAv library (On Ubuntu it's on
/var/lib/clamav/
) called as exampleyara_officemacros.yar
Edit it and write inside this code:
Save the file and restart clamd, and you're done ;-)