Hi there, On Tue, 8 Sep 2020, Hugo Boss via clamav-users wrote:
I would to like to know how can I block with clamav libreoffice files with macro as MS Office files: I turn : OLE2BlockMacros yes DetectPUA yes But no result.
I'm not quite sure I understand exactly what you want to do, but if you look into how a LibreOffice file stores information you might see a way to achieve what you want. The files are generally compressed archives which contain a number of files and directories. It's very easy to unzip them and inspect the extracted directory structure. Then you can take a view. Macros are usually (but not always) written in a form of BASIC, so you might for example want to consider blocking the file if there's a directory called 'Basic' in the extracted tree. I don't know how easy or time consuming it will be to do that with the signatures that you can write for ClamAV, but I'm sure it's possible. See the ClamAV documentation for more about writing signatures. After you've written such a signature, I'm sure it will be fairly easy to imagine ways that a malicious sender might get around it. In my view it's easier and probably more reliable to block things based on information about the source of a document than it is to try to cover every possibile way of hiding malicious stuff in it. Bear in mind that a lot of macros are perfectly harmless and the user who sent a document might not even know that there are macros in it. If you have samples of documents containing malicious macros whihc ClamAV doesn't at the moment detect I'm sure that the ClamAV team would be interested to see them. Finally, before you go reinventing any wheels don't overlook the various sources of third-party signatures for ClamAV which might do what you need already. -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
