3

We are using custom signatures for ClamAV database to ban some types of files when they're attached to one email.

This it's done using clamd and clamassassin with procmail.

We're looking to add a rule in our custom rules for ClamAV to ban emails which have excel/word/powerpoint documents with macros.

NetVicious
  • 462
  • 5
  • 17

1 Answers1

4

Starting from ClamAV version 0.99 it supports Yara rules.

So we can use a Yara rule to detect this type of files.

Create a file into your ClamAv library (On Ubuntu it's on /var/lib/clamav/) called as example yara_officemacros.yar

Edit it and write inside this code:

rule office_macro
{
    meta:
        description = "M$ Office document containing a macro"
        thread_level = 1
        in_the_wild = true
    strings:
        $a = {d0 cf 11 e0}
        $b = {00 41 74 74 72 69 62 75 74 00}
    condition:
        $a at 0 and $b
}

Save the file and restart clamd, and you're done ;-)

NetVicious
  • 462
  • 5
  • 17
  • can you at least explain what's going on? – busythomas Sep 15 '20 at 08:35
  • What do you need I explain. We're adding a manual rule on ClamAV using yara rules. On this yara rule we're trying to detect some headers all the Office documents have. ClamAV it's usually ran on email servers to detect viruses. So if the ClamAV detects one Office file with a macro it will mark it as it had a "virus" and the email server will reject or wil mark the email – NetVicious Aug 04 '21 at 10:43