I see a ton of these too. But I also have clients who get password protected documents all the time, so it's a bit difficult to just blanket block all password protected documents.
However, if you look at one of these emails, virtually 100% of the virus emails contain the password to decrypt the message. But it's not so easy to know what word in the message is the password. Sometimes they say 'here is the key', sometimes they say 'here is the code you need', or sometimes they say 'the password is'... so you can't really just build a regex to find the password. Maybe you could just iterate through every word in the body of the email and try them. What I have had to do is just train people that if someone sends them an email with an attachment and the password is included or comes in a second email, to call the person and ask them if it's real. Incidentally, does anyone know of some open source mail gateway/proxy thing that would block password protected attachments like these but then send an email back to the user and have them upload the file to a secure web server, then forward an email on to the recipient letting them download it from the server? This way, clamav could scan the message on the server. On 5 October 2016 at 18:43, Joel Esler (jesler) <jes...@cisco.com> wrote: > Alex, > > Are you submitting these files to ClamAV? > > http://www.clamav.net/reports/malware > > -- > Joel > > > > On Oct 5, 2016, at 8:21 AM, Alex <mysqlstud...@gmail.com> wrote: > > > > Hi, > > I'm starting to receive emails like this: > > > > http://pastebin.com/HpvEcT9K > > > > They're not being caught by clamav or other virus filters. Is it even > > possible to catch encrypted Word docs with a virus scanner? > > > > I'm using spamassassin on fedora with amavisd. Is there something that > > can be done to at least tag them in some way so the end-user knows > > it's a potential threat? > > > > Thanks, > > Alex > > _______________________________________________ > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > > > > http://www.clamav.net/contact.html#ml > > _______________________________________________ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
