On Wed, 15 Nov 2017, Mark Foley wrote: >On Wed 15 Nov 2017 01:14:00 -0800 Al Varnell <alvarn...@mac.com> wrote: > >>On Tue, Nov 14, 2017 at 07:45 AM, Mark Foley wrote: >>> I found this older message in the archives. I'm receiving a lot of fake >>> "Invoice" messages with attached encrypted .doc files that run VB scripts >>> and >>> execute .exe files. >>> >>> I'd like to block encrypted Word documents. Interestingly, as Reindl Harald >>> says, ".docx files *are* zip files", but lately I've been getting .doc files >>> which are really .docx file. KDE Dolphin isn't deceived and opens the >>> attachment as an archive, but Word in WIN7 goes ahead and opens it as a >>> document. If I rename the document to .docx, then Dolphin opens it in >>> LibreOffice. >>> >>> So, will ArchiveblockEncrypted work on .doc files too? I.e. is clamav smart >>> enough to look beyond the extension? >> >> In general, yes, clamAV doesn't pay attention to extensions and looks for >> document signatures that are usually at the top of a file to determine >> file type. That being said, I can't confirm exactly how it handles .doc and >> .docx files. >> > >Thanks Al. I'll turn this on and experiment. I'll post back my findings. > >Does anyone have exerience with this?
I did a few tests some time ago. The encryption/protection is implemented by microsoft as a internal format somewhere in the office document structure, _not_ as a encrypted zip file. So ArchiveblockEncrypted won't block encrypted Word documents. Regards, Kees Theunissen. -- Kees Theunissen, System and network manager, Tel: +31 (0)40-3334724 Dutch Institute For Fundamental Energy Research (DIFFER) e-mail address: c.j.theunis...@differ.nl postal address: PO Box 6336, 5600 HH, Eindhoven, the Netherlands visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
