OK, I've found something. Encrypted .docx files contain the following strings:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <encryption xmlns="http://schemas.microsoft.com/office/2006/encryption"; xmlns:p="http://schemas.microsoft.com/office/2006/keyEncryptor/password";><keyData saltSize="16" blockSize="16" keyBits="128" hashSize="20" cipherAlgorithm="AES" cipherChaining="ChainingModeCBC" hashAlgorithm="SHA1" saltValue="dT0hymDgAgaEENBUvpFPUw=="/><dataIntegrity encryptedHmacKey="pTZ4UD/8qW4wUZy5Y92BG3Rmf Non-encrypted .docx files do not appear to have this. Perhaps a rule could be set up to look for this? I've not found anything on .doc files yet. --Mark On Wed, 15 Nov 2017 13:09:28 -0500 Mark Foley <mfo...@novatec-inc.com> wrote: > On Wed, 15 Nov 2017 18:37:36 +0100 (CET) Kees Theunissen > <c.j.theunis...@differ.nl> wrote: > > > > > On Wed, 15 Nov 2017, Mark Foley wrote: > > > > >On Wed 15 Nov 2017 01:14:00 -0800 Al Varnell <alvarn...@mac.com> wrote: > > > > > >>On Tue, Nov 14, 2017 at 07:45 AM, Mark Foley wrote: > > >>> I found this older message in the archives. I'm receiving a lot of fake > > >>> "Invoice" messages with attached encrypted .doc files that run VB > > >>> scripts and > > >>> execute .exe files. > > >>> > > >>> I'd like to block encrypted Word documents. Interestingly, as Reindl > > >>> Harald > > >>> says, ".docx files *are* zip files", but lately I've been getting .doc > > >>> files > > >>> which are really .docx file. KDE Dolphin isn't deceived and opens the > > >>> attachment as an archive, but Word in WIN7 goes ahead and opens it as a > > >>> document. If I rename the document to .docx, then Dolphin opens it in > > >>> LibreOffice. > > >>> > > >>> So, will ArchiveblockEncrypted work on .doc files too? I.e. is clamav > > >>> smart > > >>> enough to look beyond the extension? > > >> > > >> In general, yes, clamAV doesn't pay attention to extensions and looks for > > >> document signatures that are usually at the top of a file to determine > > >> file type. That being said, I can't confirm exactly how it handles .doc > > >> and .docx files. > > >> > > > > > >Thanks Al. I'll turn this on and experiment. I'll post back my findings. > > > > > >Does anyone have exerience with this? > > > > I did a few tests some time ago. The encryption/protection > > is implemented by microsoft as a internal format somewhere in > > the office document structure, _not_ as a encrypted zip file. > > > > So ArchiveblockEncrypted won't block encrypted Word documents. > > > > > > Regards, > > > > Kees Theunissen. > > > > -- > > Kees Theunissen, System and network manager, Tel: +31 (0)40-3334724 > > Dutch Institute For Fundamental Energy Research (DIFFER) > > e-mail address: c.j.theunis...@differ.nl > > postal address: PO Box 6336, 5600 HH, Eindhoven, the Netherlands > > visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands > > Ah! Bummer. I thought that might be the case. > > Did you ever find a way to identify an encrypted .doc[x] file? > > --Mark > _______________________________________________ > clamav-users mailing list > clamav-users@lists.clamav.net > http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users > > > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
