On Sun, February 7, 2016 8:30 am, David Shrimpton wrote: > Hi, > > > But most of the badmacro or other unofficial virus signatures written to > detect macro virus are written against the container itself which has the > compressed macro code in it. They are not written against the > uncompressed macro code, so setting ScanOLE2 yes will disable these > signatures.
Hi David, Just doing a *very* quick look: Using badmacro.ndb and either ScanOLE2 no (clamd.conf) *or* using --scan-ole2=no (clamscan) still result in the bad work document being detected... clamscan --database=badmacro.ndb *.doc --scan-ole2=no Copy_100_of_imex.prcl.I806015.doc: Sanesecurity.Badmacro.Doc.CreObj.UNOFFICIAL FOUND Copy_101_of_imex.prcl.I806015.doc: Sanesecurity.Badmacro.Doc.CreObj.UNOFFICIAL FOUND Well, at least that's what I'm seeing here... > These viruses are completely missed when ScanOLE2 is yes , no matter what > signature you write, as the non macro files in the OLE2 container are not > scanned and the scanned files ie the uncompressed macro vba code, don't > contain the malicious code. Can you scan these viruses with badmacro.ndb with --scan-ole2=no and --scan-ole2=yes... are they detected? If the document malware you have isn't detected by badmacro.ndb or phish.ndb then please send me a sample... and I'll check... http://sanesecurity.org/hesk/ Cheers, Steve Web : sanesecurity.com Blog: sanesecurity.blogspot.com Twitter: @sanesecurity _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml