Re: [clamav-users] Virus Malvare not detected

2017-11-15 Thread Joel Esler (jesler)
Doc.Dropper.Agent is automated.  Sounds like someone submitted the file to 
Clamav.net or one my other automated systems that produces 
detection.

--
Joel Esler | Talos: Manager | jes...@cisco.com






On Nov 15, 2017, at 7:09 PM, Al Varnell 
> wrote:

Yes, both those signatures were added in daily - 24045 last night (my time).

-Al-

On Wed, Nov 15, 2017 at 01:14 PM, Mark Foley wrote:

Actually, the clamscanner is now finding these files, so someone must have
updated something since yesterday (which is when these files came in):

/home/HPRS/matkeson/Maildir/.SENT/cur/1510671208.M989641P17402.mail,S=203527,W=206204:2,S:
 Doc.Dropper.Agent-6374331-0 FOUND
/home/HPRS/matkeson/Maildir/.SENT/cur/1510671208.M989641P17402.mail,S=203527,W=206204:2,S!MAIL:InvoiceETT3600920.doc!...!(3)ZIP:docProps/core.xml:
 Doc.Dropper.Agent-6374331-0 FOUND

I'll go ahead and submit my file anyway, in case this is something different.

--Mark

-Original Message-
From: Steven Morgan >
Date: Wed, 15 Nov 2017 15:50:31 -0500
To: ClamAV users ML 
>
Subject: Re: [clamav-users] Virus Malvare not detected

Mark,

Please open a bug report about this issue at 
bugzilla.clamav.net. Please
include your file and we can look into the issues.

Thanks,
Steve



On Wed, Nov 15, 2017 at 2:45 PM, Mark Foley 
> wrote:

I'm going to continue piggybacking onto this thread as it deals with
Clamav's
non-discovery of the malware attached to messages with the subject "Invoice
...". Although, I don't know if this is the same type of attachment.

The attachments I've been getting are .docx file named as .doc files. In
examining the contents of these archives I find:

$ unzip -l InvoiceZGC3020188.doc
Archive:  InvoiceZGC3020188.doc
Length  DateTimeName
-  -- -   
   1510  01-01-1980 00:00   [Content_Types].xml
590  01-01-1980 00:00   _rels/.rels
   1226  01-01-1980 00:00   word/_rels/document.xml.rels
   5097  01-01-1980 00:00   word/document.xml
   5424  01-01-1980 00:00   word/media/image1.emf
 132276  01-01-1980 00:00   word/media/image2.png
   6850  01-01-1980 00:00   word/theme/theme1.xml
   6144  01-01-1980 00:00   word/embeddings/oleObject1.bin
   4809  01-01-1980 00:00   word/settings.xml
   1299  01-01-1980 00:00   word/fontTable.xml
576  01-01-1980 00:00   word/webSettings.xml
995  01-01-1980 00:00   docProps/app.xml
  29121  01-01-1980 00:00   word/styles.xml
732  01-01-1980 00:00   docProps/core.xml
- ---
 196649 14 files

"Normal" .docx files do not have the oleObject1.bin as an archive members.
I do
have ScanOLE2 and OLE2BlockMacros enabled. So why isn't clamav detecting
this
oleObject1.bin member?

(To where should I submit a sample of this attachment?)

--Mark

-Original Message-
From: Mark Foley >
Date: Wed, 15 Nov 2017 13:18:23 -0500
Organization: Novatec Software Engineering, LLC
To: clamav-users@lists.clamav.net

I'm having this same issue. The problem as I see it is that the .doc
attached to
these "Invoice" message is encrypted and clamav does not see what's
inside. I'm
discussing this encrypted attachment issue in my thread, subject: "password
protected encrypted .docx files". I'm continuing to research this.

--Mark

On Wed, 15 Nov 2017 15:09:59 -0300 Emanuel 
>
wrote:

Other virus not detected

https://www.virustotal.com/#/file/6b7b11077b2bcdbce94eff73722a4f
78103d2e87bd4331654bc65c0daeb176dd/detection


El 14/11/17 a las 09:52, Emanuel escribió:
Scan the attachment, clamav not detect this file.


El 14/11/17 a las 09:51, Al Varnell escribió:
You mentioned two attachments. Kaspersky and ClamXAV appear to catch
the first one, but neither catch the second one you showed us. The
SHA246 for a file is the same no matter what scanner is used.

-Al-

On Tue, Nov 14, 2017 at 04:36 AM, Emanuel wrote:
the first scan is with kaspersky online


El 14/11/17 a las 09:31, Al Varnell escribió:
That's not the same file you showed before. The SHA256 is different.

-Al-

On Tue, Nov 14, 2017 at 04:23 AM, Emanuel wrote:
Please see

https://www.virustotal.com/es-ar/file/
323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b
5da4/analysis/1510662252/



Re: [clamav-users] Virus Malvare not detected

2017-11-15 Thread Al Varnell
Yes, both those signatures were added in daily - 24045 last night (my time).

-Al-

On Wed, Nov 15, 2017 at 01:14 PM, Mark Foley wrote:
> 
> Actually, the clamscanner is now finding these files, so someone must have
> updated something since yesterday (which is when these files came in):
> 
> /home/HPRS/matkeson/Maildir/.SENT/cur/1510671208.M989641P17402.mail,S=203527,W=206204:2,S:
>  Doc.Dropper.Agent-6374331-0 FOUND
> /home/HPRS/matkeson/Maildir/.SENT/cur/1510671208.M989641P17402.mail,S=203527,W=206204:2,S!MAIL:InvoiceETT3600920.doc!...!(3)ZIP:docProps/core.xml:
>  Doc.Dropper.Agent-6374331-0 FOUND
> 
> I'll go ahead and submit my file anyway, in case this is something different.
> 
> --Mark
>> 
>> -Original Message-
>> From: Steven Morgan 
>> Date: Wed, 15 Nov 2017 15:50:31 -0500
>> To: ClamAV users ML 
>> Subject: Re: [clamav-users] Virus Malvare not detected
>> 
>> Mark,
>> 
>> Please open a bug report about this issue at bugzilla.clamav.net. Please
>> include your file and we can look into the issues.
>> 
>> Thanks,
>> Steve
>> 
>> 
>> 
>> On Wed, Nov 15, 2017 at 2:45 PM, Mark Foley  wrote:
>> 
>>> I'm going to continue piggybacking onto this thread as it deals with
>>> Clamav's
>>> non-discovery of the malware attached to messages with the subject "Invoice
>>> ...". Although, I don't know if this is the same type of attachment.
>>> 
>>> The attachments I've been getting are .docx file named as .doc files. In
>>> examining the contents of these archives I find:
>>> 
>>> $ unzip -l InvoiceZGC3020188.doc
>>> Archive:  InvoiceZGC3020188.doc
>>>  Length  DateTimeName
>>> -  -- -   
>>> 1510  01-01-1980 00:00   [Content_Types].xml
>>>  590  01-01-1980 00:00   _rels/.rels
>>> 1226  01-01-1980 00:00   word/_rels/document.xml.rels
>>> 5097  01-01-1980 00:00   word/document.xml
>>> 5424  01-01-1980 00:00   word/media/image1.emf
>>>   132276  01-01-1980 00:00   word/media/image2.png
>>> 6850  01-01-1980 00:00   word/theme/theme1.xml
>>> 6144  01-01-1980 00:00   word/embeddings/oleObject1.bin
>>> 4809  01-01-1980 00:00   word/settings.xml
>>> 1299  01-01-1980 00:00   word/fontTable.xml
>>>  576  01-01-1980 00:00   word/webSettings.xml
>>>  995  01-01-1980 00:00   docProps/app.xml
>>>29121  01-01-1980 00:00   word/styles.xml
>>>  732  01-01-1980 00:00   docProps/core.xml
>>> - ---
>>>   196649 14 files
>>> 
>>> "Normal" .docx files do not have the oleObject1.bin as an archive members.
>>> I do
>>> have ScanOLE2 and OLE2BlockMacros enabled. So why isn't clamav detecting
>>> this
>>> oleObject1.bin member?
>>> 
>>> (To where should I submit a sample of this attachment?)
>>> 
>>> --Mark
>>> 
>>> -Original Message-
>>> From: Mark Foley 
>>> Date: Wed, 15 Nov 2017 13:18:23 -0500
>>> Organization: Novatec Software Engineering, LLC
>>> To: clamav-users@lists.clamav.net
>>> 
>>> I'm having this same issue. The problem as I see it is that the .doc
>>> attached to
>>> these "Invoice" message is encrypted and clamav does not see what's
>>> inside. I'm
>>> discussing this encrypted attachment issue in my thread, subject: "password
>>> protected encrypted .docx files". I'm continuing to research this.
>>> 
>>> --Mark
>>> 
>>> On Wed, 15 Nov 2017 15:09:59 -0300 Emanuel 
>>> wrote:
>>> 
 Other virus not detected
 
 https://www.virustotal.com/#/file/6b7b11077b2bcdbce94eff73722a4f
>>> 78103d2e87bd4331654bc65c0daeb176dd/detection
 
 
 El 14/11/17 a las 09:52, Emanuel escribió:
> Scan the attachment, clamav not detect this file.
> 
> 
> El 14/11/17 a las 09:51, Al Varnell escribió:
>> You mentioned two attachments. Kaspersky and ClamXAV appear to catch
>> the first one, but neither catch the second one you showed us. The
>> SHA246 for a file is the same no matter what scanner is used.
>> 
>> -Al-
>> 
>> On Tue, Nov 14, 2017 at 04:36 AM, Emanuel wrote:
>>> the first scan is with kaspersky online
>>> 
>>> 
>>> El 14/11/17 a las 09:31, Al Varnell escribió:
 That's not the same file you showed before. The SHA256 is different.
 
 -Al-
 
 On Tue, Nov 14, 2017 at 04:23 AM, Emanuel wrote:
> Please see
> 
> https://www.virustotal.com/es-ar/file/
>>> 323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b
>>> 5da4/analysis/1510662252/
> >> 323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b
>>> 5da4/analysis/1510662252/>
> >> 323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b
>>> 5da4/analysis/1510662252/
> >> 

Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain

2017-11-15 Thread micah anderson
micah anderson  writes:

> X:.+safelinks\.protection\.outlook\.com([/?].*)?:.*([/?].*)?:17
>
> but people are still complaining. Did I do this wrong? Looking again at
> the documentation, it appears that it should be '17-' instead of '17',
> but I'm not sure that matters.

Anyone have any insight about the missing hyphen? I can't find any
documentation about these supported levels and how to properly indicate
them.

thanks!
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


Re: [clamav-users] Virus Malvare not detected

2017-11-15 Thread Mark Foley
Actually, the clamscanner is now finding these files, so someone must have
updated something since yesterday (which is when these files came in):

/home/HPRS/matkeson/Maildir/.SENT/cur/1510671208.M989641P17402.mail,S=203527,W=206204:2,S:
 Doc.Dropper.Agent-6374331-0 FOUND
/home/HPRS/matkeson/Maildir/.SENT/cur/1510671208.M989641P17402.mail,S=203527,W=206204:2,S!MAIL:InvoiceETT3600920.doc!...!(3)ZIP:docProps/core.xml:
 Doc.Dropper.Agent-6374331-0 FOUND

I'll go ahead and submit my file anyway, in case this is something different.

--Mark

-Original Message-
From: Steven Morgan 
Date: Wed, 15 Nov 2017 15:50:31 -0500
To: ClamAV users ML 
Subject: Re: [clamav-users] Virus Malvare not detected

Mark,

Please open a bug report about this issue at bugzilla.clamav.net. Please
include your file and we can look into the issues.

Thanks,
Steve



On Wed, Nov 15, 2017 at 2:45 PM, Mark Foley  wrote:

> I'm going to continue piggybacking onto this thread as it deals with
> Clamav's
> non-discovery of the malware attached to messages with the subject "Invoice
> ...". Although, I don't know if this is the same type of attachment.
>
> The attachments I've been getting are .docx file named as .doc files. In
> examining the contents of these archives I find:
>
> $ unzip -l InvoiceZGC3020188.doc
> Archive:  InvoiceZGC3020188.doc
>   Length  DateTimeName
> -  -- -   
>  1510  01-01-1980 00:00   [Content_Types].xml
>   590  01-01-1980 00:00   _rels/.rels
>  1226  01-01-1980 00:00   word/_rels/document.xml.rels
>  5097  01-01-1980 00:00   word/document.xml
>  5424  01-01-1980 00:00   word/media/image1.emf
>132276  01-01-1980 00:00   word/media/image2.png
>  6850  01-01-1980 00:00   word/theme/theme1.xml
>  6144  01-01-1980 00:00   word/embeddings/oleObject1.bin
>  4809  01-01-1980 00:00   word/settings.xml
>  1299  01-01-1980 00:00   word/fontTable.xml
>   576  01-01-1980 00:00   word/webSettings.xml
>   995  01-01-1980 00:00   docProps/app.xml
> 29121  01-01-1980 00:00   word/styles.xml
>   732  01-01-1980 00:00   docProps/core.xml
> - ---
>196649 14 files
>
> "Normal" .docx files do not have the oleObject1.bin as an archive members.
> I do
> have ScanOLE2 and OLE2BlockMacros enabled. So why isn't clamav detecting
> this
> oleObject1.bin member?
>
> (To where should I submit a sample of this attachment?)
>
> --Mark
>
> -Original Message-
> From: Mark Foley 
> Date: Wed, 15 Nov 2017 13:18:23 -0500
> Organization: Novatec Software Engineering, LLC
> To: clamav-users@lists.clamav.net
>
> I'm having this same issue. The problem as I see it is that the .doc
> attached to
> these "Invoice" message is encrypted and clamav does not see what's
> inside. I'm
> discussing this encrypted attachment issue in my thread, subject: "password
> protected encrypted .docx files". I'm continuing to research this.
>
> --Mark
>
> On Wed, 15 Nov 2017 15:09:59 -0300 Emanuel 
> wrote:
>
> > Other virus not detected
> >
> > https://www.virustotal.com/#/file/6b7b11077b2bcdbce94eff73722a4f
> 78103d2e87bd4331654bc65c0daeb176dd/detection
> >
> >
> > El 14/11/17 a las 09:52, Emanuel escribió:
> > > Scan the attachment, clamav not detect this file.
> > >
> > >
> > > El 14/11/17 a las 09:51, Al Varnell escribió:
> > >> You mentioned two attachments. Kaspersky and ClamXAV appear to catch
> > >> the first one, but neither catch the second one you showed us. The
> > >> SHA246 for a file is the same no matter what scanner is used.
> > >>
> > >> -Al-
> > >>
> > >> On Tue, Nov 14, 2017 at 04:36 AM, Emanuel wrote:
> > >>> the first scan is with kaspersky online
> > >>>
> > >>>
> > >>> El 14/11/17 a las 09:31, Al Varnell escribió:
> >  That's not the same file you showed before. The SHA256 is different.
> > 
> >  -Al-
> > 
> >  On Tue, Nov 14, 2017 at 04:23 AM, Emanuel wrote:
> > > Please see
> > >
> > > https://www.virustotal.com/es-ar/file/
> 323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b
> 5da4/analysis/1510662252/
> > >  323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b
> 5da4/analysis/1510662252/>
> > >  323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b
> 5da4/analysis/1510662252/
> > >  323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b
> 5da4/analysis/1510662252/>>
> > >
> > >
> > >
> > > El 14/11/17 a las 09:00, Al Varnell escribió:
> > >> According to VirusTotal, ClamAV does detect it as
> > >> Doc.Dropper.Agent-6369707-0
> > >>  

Re: [clamav-users] Virus Malvare not detected

2017-11-15 Thread Steven Morgan
Mark,

Please open a bug report about this issue at bugzilla.clamav.net. Please
include your file and we can look into the issues.

Thanks,
Steve



On Wed, Nov 15, 2017 at 2:45 PM, Mark Foley  wrote:

> I'm going to continue piggybacking onto this thread as it deals with
> Clamav's
> non-discovery of the malware attached to messages with the subject "Invoice
> ...". Although, I don't know if this is the same type of attachment.
>
> The attachments I've been getting are .docx file named as .doc files. In
> examining the contents of these archives I find:
>
> $ unzip -l InvoiceZGC3020188.doc
> Archive:  InvoiceZGC3020188.doc
>   Length  DateTimeName
> -  -- -   
>  1510  01-01-1980 00:00   [Content_Types].xml
>   590  01-01-1980 00:00   _rels/.rels
>  1226  01-01-1980 00:00   word/_rels/document.xml.rels
>  5097  01-01-1980 00:00   word/document.xml
>  5424  01-01-1980 00:00   word/media/image1.emf
>132276  01-01-1980 00:00   word/media/image2.png
>  6850  01-01-1980 00:00   word/theme/theme1.xml
>  6144  01-01-1980 00:00   word/embeddings/oleObject1.bin
>  4809  01-01-1980 00:00   word/settings.xml
>  1299  01-01-1980 00:00   word/fontTable.xml
>   576  01-01-1980 00:00   word/webSettings.xml
>   995  01-01-1980 00:00   docProps/app.xml
> 29121  01-01-1980 00:00   word/styles.xml
>   732  01-01-1980 00:00   docProps/core.xml
> - ---
>196649 14 files
>
> "Normal" .docx files do not have the oleObject1.bin as an archive members.
> I do
> have ScanOLE2 and OLE2BlockMacros enabled. So why isn't clamav detecting
> this
> oleObject1.bin member?
>
> (To where should I submit a sample of this attachment?)
>
> --Mark
>
> -Original Message-
> From: Mark Foley 
> Date: Wed, 15 Nov 2017 13:18:23 -0500
> Organization: Novatec Software Engineering, LLC
> To: clamav-users@lists.clamav.net
>
> I'm having this same issue. The problem as I see it is that the .doc
> attached to
> these "Invoice" message is encrypted and clamav does not see what's
> inside. I'm
> discussing this encrypted attachment issue in my thread, subject: "password
> protected encrypted .docx files". I'm continuing to research this.
>
> --Mark
>
> On Wed, 15 Nov 2017 15:09:59 -0300 Emanuel 
> wrote:
>
> > Other virus not detected
> >
> > https://www.virustotal.com/#/file/6b7b11077b2bcdbce94eff73722a4f
> 78103d2e87bd4331654bc65c0daeb176dd/detection
> >
> >
> > El 14/11/17 a las 09:52, Emanuel escribió:
> > > Scan the attachment, clamav not detect this file.
> > >
> > >
> > > El 14/11/17 a las 09:51, Al Varnell escribió:
> > >> You mentioned two attachments. Kaspersky and ClamXAV appear to catch
> > >> the first one, but neither catch the second one you showed us. The
> > >> SHA246 for a file is the same no matter what scanner is used.
> > >>
> > >> -Al-
> > >>
> > >> On Tue, Nov 14, 2017 at 04:36 AM, Emanuel wrote:
> > >>> the first scan is with kaspersky online
> > >>>
> > >>>
> > >>> El 14/11/17 a las 09:31, Al Varnell escribió:
> >  That's not the same file you showed before. The SHA256 is different.
> > 
> >  -Al-
> > 
> >  On Tue, Nov 14, 2017 at 04:23 AM, Emanuel wrote:
> > > Please see
> > >
> > > https://www.virustotal.com/es-ar/file/
> 323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b
> 5da4/analysis/1510662252/
> > >  323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b
> 5da4/analysis/1510662252/>
> > >  323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b
> 5da4/analysis/1510662252/
> > >  323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b
> 5da4/analysis/1510662252/>>
> > >
> > >
> > >
> > > El 14/11/17 a las 09:00, Al Varnell escribió:
> > >> According to VirusTotal, ClamAV does detect it as
> > >> Doc.Dropper.Agent-6369707-0
> > >>  142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf/analysis/
> > >>  142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf/analysis/
> >
> > >>  142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf/analysis/
> > >>  142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf/analysis/
> >>>
> > >>
> > >>
> > >> but go ahead and try to submit it anyway.
> > >>
> > >> -Al-
> > >>
> > >> On Tue, Nov 14, 2017 at 03:33 AM, Emanuel wrote:
> > >>> Hello,
> > >>>
> > >>> I received two docs files in a email with the Subject "Invoice".
> > >>> The attachment is a malware virus, clamav not detected this.
> > >>>
> 

Re: [clamav-users] Solaris pkg download

2017-11-15 Thread Yuri
pkgutil -h

pkgutil -d CSWclamav -P /tmp


16.11.2017 2:10, Jones, Bob пишет:
> I'm looking for the compiled ClamAV package download for SPARC Solaris 10 and 
> x86 Solaris 10 if it's available.  I have no way to install the pkg directly 
> from the CSW site using pkgadd - I just need to get the package itself it 
> that's possible.
>
> Thanks,
> Bob Jones
> The information contained in this e-mail and in any attachments is intended 
> only for the person or entity to which it is addressed and may contain 
> confidential and/or privileged material. Any review, retransmission, 
> dissemination or other use of, or taking of any action in reliance upon, this 
> information by persons or entities other than the intended recipient is 
> prohibited. This message has been scanned for known computer viruses.
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml

-- 
**
* C++: Bug to the future *
**




signature.asc
Description: OpenPGP digital signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

[clamav-users] Solaris pkg download

2017-11-15 Thread Jones, Bob
I'm looking for the compiled ClamAV package download for SPARC Solaris 10 and 
x86 Solaris 10 if it's available.  I have no way to install the pkg directly 
from the CSW site using pkgadd - I just need to get the package itself it 
that's possible.

Thanks,
Bob Jones
The information contained in this e-mail and in any attachments is intended 
only for the person or entity to which it is addressed and may contain 
confidential and/or privileged material. Any review, retransmission, 
dissemination or other use of, or taking of any action in reliance upon, this 
information by persons or entities other than the intended recipient is 
prohibited. This message has been scanned for known computer viruses.
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


Re: [clamav-users] Virus Malvare not detected

2017-11-15 Thread Mark Foley
I'm going to continue piggybacking onto this thread as it deals with Clamav's
non-discovery of the malware attached to messages with the subject "Invoice
...". Although, I don't know if this is the same type of attachment.

The attachments I've been getting are .docx file named as .doc files. In
examining the contents of these archives I find:

$ unzip -l InvoiceZGC3020188.doc 
Archive:  InvoiceZGC3020188.doc
  Length  DateTimeName
-  -- -   
 1510  01-01-1980 00:00   [Content_Types].xml
  590  01-01-1980 00:00   _rels/.rels
 1226  01-01-1980 00:00   word/_rels/document.xml.rels
 5097  01-01-1980 00:00   word/document.xml
 5424  01-01-1980 00:00   word/media/image1.emf
   132276  01-01-1980 00:00   word/media/image2.png
 6850  01-01-1980 00:00   word/theme/theme1.xml
 6144  01-01-1980 00:00   word/embeddings/oleObject1.bin
 4809  01-01-1980 00:00   word/settings.xml
 1299  01-01-1980 00:00   word/fontTable.xml
  576  01-01-1980 00:00   word/webSettings.xml
  995  01-01-1980 00:00   docProps/app.xml
29121  01-01-1980 00:00   word/styles.xml
  732  01-01-1980 00:00   docProps/core.xml
- ---
   196649 14 files

"Normal" .docx files do not have the oleObject1.bin as an archive members. I do
have ScanOLE2 and OLE2BlockMacros enabled. So why isn't clamav detecting this
oleObject1.bin member?

(To where should I submit a sample of this attachment?)

--Mark

-Original Message-
From: Mark Foley 
Date: Wed, 15 Nov 2017 13:18:23 -0500
Organization: Novatec Software Engineering, LLC
To: clamav-users@lists.clamav.net

I'm having this same issue. The problem as I see it is that the .doc attached to
these "Invoice" message is encrypted and clamav does not see what's inside. I'm
discussing this encrypted attachment issue in my thread, subject: "password
protected encrypted .docx files". I'm continuing to research this.

--Mark

On Wed, 15 Nov 2017 15:09:59 -0300 Emanuel  wrote:

> Other virus not detected
>
> https://www.virustotal.com/#/file/6b7b11077b2bcdbce94eff73722a4f78103d2e87bd4331654bc65c0daeb176dd/detection
>
>
> El 14/11/17 a las 09:52, Emanuel escribió:
> > Scan the attachment, clamav not detect this file.
> >
> >
> > El 14/11/17 a las 09:51, Al Varnell escribió:
> >> You mentioned two attachments. Kaspersky and ClamXAV appear to catch 
> >> the first one, but neither catch the second one you showed us. The 
> >> SHA246 for a file is the same no matter what scanner is used.
> >>
> >> -Al-
> >>
> >> On Tue, Nov 14, 2017 at 04:36 AM, Emanuel wrote:
> >>> the first scan is with kaspersky online
> >>>
> >>>
> >>> El 14/11/17 a las 09:31, Al Varnell escribió:
>  That's not the same file you showed before. The SHA256 is different.
> 
>  -Al-
> 
>  On Tue, Nov 14, 2017 at 04:23 AM, Emanuel wrote:
> > Please see
> >
> > https://www.virustotal.com/es-ar/file/323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b5da4/analysis/1510662252/
> >  
> > 
> >  
> >  >  
> > >
> >  
> >
> >
> >
> > El 14/11/17 a las 09:00, Al Varnell escribió:
> >> According to VirusTotal, ClamAV does detect it as 
> >> Doc.Dropper.Agent-6369707-0
> >>  >>  
> >> 
> >>  
> >>  >>  
> >> >>
> >>  
> >>
> >>
> >> but go ahead and try to submit it anyway.
> >>
> >> -Al-
> >>
> >> On Tue, Nov 14, 2017 at 03:33 AM, Emanuel wrote:
> >>> Hello,
> >>>
> >>> I received two docs files in a email with the Subject "Invoice". 
> >>> The attachment is a malware virus, clamav not detected this.
> >>>
> >>> Scan with kaspersky
> >>>
> >>>
> >>> Scan result
> >>> File is infected
> >>> Detected threats
> >>> Trojan-Downloader.MSWord.Agent.bqx
> >>> File size
> >>> 144.95 KB
> >>> File type
> >>> OOXML/DOCUMENT
> >>> Scan date
> >>> Nov 14 2017 08:15:42
> >>> Databases release date
> >>> Nov 14 2017 10:36:04 UTC
> >>> MD5
> 

Re: [clamav-users] password protected encrypted .docx files

2017-11-15 Thread Mark Foley
OK, I've found something. Encrypted .docx files contain the following strings:



http://schemas.microsoft.com/office/2006/encryption; 
xmlns:p="http://schemas.microsoft.com/office/2006/keyEncryptor/password;> > >>> scripts and
> > >>> execute .exe files.
> > >>>
> > >>> I'd like to block encrypted Word documents.  Interestingly, as Reindl 
> > >>> Harald
> > >>> says, ".docx files *are* zip files", but lately I've been getting .doc 
> > >>> files
> > >>> which are really .docx file.  KDE Dolphin isn't deceived and opens the
> > >>> attachment as an archive, but Word in WIN7 goes ahead and opens it as a
> > >>> document.  If I rename the document to .docx, then Dolphin opens it in
> > >>> LibreOffice.
> > >>>
> > >>> So, will ArchiveblockEncrypted work on .doc files too? I.e. is clamav 
> > >>> smart
> > >>> enough to look beyond the extension?
> > >>
> > >> In general, yes, clamAV doesn't pay attention to extensions and looks for
> > >> document signatures that are usually at the top of a file to determine
> > >> file type. That being said, I can't confirm exactly how it handles .doc 
> > >> and .docx files.
> > >>
> > >
> > >Thanks Al. I'll turn this on and experiment. I'll post back my findings.
> > >
> > >Does anyone have exerience with this?
> >
> > I did a few tests some time ago. The encryption/protection
> > is implemented by microsoft as a internal format somewhere in
> > the office document structure, _not_ as a encrypted zip file.
> >
> > So ArchiveblockEncrypted won't block encrypted Word documents.
> >
> >
> > Regards,
> >
> > Kees Theunissen.
> >
> > -- 
> > Kees Theunissen,  System and network manager,   Tel: +31 (0)40-3334724
> > Dutch Institute For Fundamental Energy Research (DIFFER)
> > e-mail address:   c.j.theunis...@differ.nl
> > postal address:   PO Box 6336, 5600 HH, Eindhoven, the Netherlands
> > visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands
>
> Ah! Bummer. I thought that might be the case.
>
> Did you ever find a way to identify an encrypted .doc[x] file?
>
> --Mark
> ___
> clamav-users mailing list
> clamav-users@lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain

2017-11-15 Thread Kris Deugau

micah anderson wrote:

I keep having people complaining about False Positives due to
Heuristics.Phishing.Email.SpoofedDomain - my research has shown me that
the reason this is happening is because of Outlook's "advanced threat
protection" which wraps urls in a "safelink" url,



I really didn't want to do this, but I followed
https://github.com/vrtadmin/clamav-devel/blob/master/docs/phishsigs_howto.pdf

and I added the following to local.wdb (is this still the right place?!)
to "whitelist" safebrowsing:

X:.+safelinks\.protection\.outlook\.com([/?].*)?:.*([/?].*)?:17

but people are still complaining. Did I do this wrong? Looking again at
the documentation, it appears that it should be '17-' instead of '17',
but I'm not sure that matters.


I don't know if the whitelist setup will let you blanket-whitelist ALL 
EVARYTHING like that.  Grab a sample message, and run clamscan -D on it 
to find the link it's choking on.  Tweak the regex in between calls - 
eg, start with a specific match on the example, and gradually make it 
more general.  IME there are undocumented limits on what really 
constitutes a "valid" entry (both in syntax and in results), so the only 
way to get it right is to test and adjust until it works as expected.  :/



Is there some better way to deal with this? I do not want to turn off
phishing protection in general.


I'd suggest moving up a layer, to whatever is calling Clam, and handle 
that result differently (ie, add a header to pass on to the spam filter 
rather than treat it as an absolute black/white result on its own).


-kgd
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


Re: [clamav-users] Virus Malvare not detected

2017-11-15 Thread Mark Foley
I'm having this same issue. The problem as I see it is that the .doc attached to
these "Invoice" message is encrypted and clamav does not see what's inside. I'm
discussing this encrypted attachment issue in my thread, subject: "password
protected encrypted .docx files". I'm continuing to research this.

--Mark

On Wed, 15 Nov 2017 15:09:59 -0300 Emanuel  wrote:

> Other virus not detected
>
> https://www.virustotal.com/#/file/6b7b11077b2bcdbce94eff73722a4f78103d2e87bd4331654bc65c0daeb176dd/detection
>
>
> El 14/11/17 a las 09:52, Emanuel escribió:
> > Scan the attachment, clamav not detect this file.
> >
> >
> > El 14/11/17 a las 09:51, Al Varnell escribió:
> >> You mentioned two attachments. Kaspersky and ClamXAV appear to catch 
> >> the first one, but neither catch the second one you showed us. The 
> >> SHA246 for a file is the same no matter what scanner is used.
> >>
> >> -Al-
> >>
> >> On Tue, Nov 14, 2017 at 04:36 AM, Emanuel wrote:
> >>> the first scan is with kaspersky online
> >>>
> >>>
> >>> El 14/11/17 a las 09:31, Al Varnell escribió:
>  That's not the same file you showed before. The SHA256 is different.
> 
>  -Al-
> 
>  On Tue, Nov 14, 2017 at 04:23 AM, Emanuel wrote:
> > Please see
> >
> > https://www.virustotal.com/es-ar/file/323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b5da4/analysis/1510662252/
> >  
> > 
> >  
> >  >  
> > >
> >  
> >
> >
> >
> > El 14/11/17 a las 09:00, Al Varnell escribió:
> >> According to VirusTotal, ClamAV does detect it as 
> >> Doc.Dropper.Agent-6369707-0
> >>  >>  
> >> 
> >>  
> >>  >>  
> >> >>
> >>  
> >>
> >>
> >> but go ahead and try to submit it anyway.
> >>
> >> -Al-
> >>
> >> On Tue, Nov 14, 2017 at 03:33 AM, Emanuel wrote:
> >>> Hello,
> >>>
> >>> I received two docs files in a email with the Subject "Invoice". 
> >>> The attachment is a malware virus, clamav not detected this.
> >>>
> >>> Scan with kaspersky
> >>>
> >>>
> >>> Scan result
> >>> File is infected
> >>> Detected threats
> >>> Trojan-Downloader.MSWord.Agent.bqx
> >>> File size
> >>> 144.95 KB
> >>> File type
> >>> OOXML/DOCUMENT
> >>> Scan date
> >>> Nov 14 2017 08:15:42
> >>> Databases release date
> >>> Nov 14 2017 10:36:04 UTC
> >>> MD5
> >>> 70bdc39f8f57e090bebc4616924cdadc
> >>> SHA1
> >>> ecf414f8523627a0d5d6637041f6e1e3bbcee62e
> >>> SHA256
> >>> 142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf
> >>>
> >>> it's possible to add manually this virus to the clamav database?
> 
> 
>  ___
>  clamav-users mailing list
>  clamav-users@lists.clamav.net 
>  http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> 
> 
>  Help us build a comprehensive ClamAV guide:
>  https://github.com/vrtadmin/clamav-faq
> 
>  http://www.clamav.net/contact.html#ml
> >> -Al-
> >>
> >>
> >> ___
> >> clamav-users mailing list
> >> clamav-users@lists.clamav.net
> >> http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
> >>
> >>
> >> Help us build a comprehensive ClamAV guide:
> >> https://github.com/vrtadmin/clamav-faq
> >>
> >> http://www.clamav.net/contact.html#ml
> >
>
> -- 
> envialosimple.com   
> Emanuel Gonzalez
> Deliverability Specialist
> emanuel.gonza...@donweb.com 
> www.envialosimple.com 
> by donweb 
>
> Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son 
> confidenciales, de uso exclusivo para el destinatario del mismo. La 
> divulgación y/o uso del mismo sin autorización por parte de DonWeb.com 
> queda prohibida.
> DonWeb.com no se hace responsable del mensaje por la falsificación y/o 
> alteración del mismo.
> De no ser Ud el destinatario del 

Re: [clamav-users] Virus Malvare not detected

2017-11-15 Thread Emanuel

Other virus not detected

https://www.virustotal.com/#/file/6b7b11077b2bcdbce94eff73722a4f78103d2e87bd4331654bc65c0daeb176dd/detection


El 14/11/17 a las 09:52, Emanuel escribió:

Scan the attachment, clamav not detect this file.


El 14/11/17 a las 09:51, Al Varnell escribió:
You mentioned two attachments. Kaspersky and ClamXAV appear to catch 
the first one, but neither catch the second one you showed us. The 
SHA246 for a file is the same no matter what scanner is used.


-Al-

On Tue, Nov 14, 2017 at 04:36 AM, Emanuel wrote:

the first scan is with kaspersky online


El 14/11/17 a las 09:31, Al Varnell escribió:

That's not the same file you showed before. The SHA256 is different.

-Al-

On Tue, Nov 14, 2017 at 04:23 AM, Emanuel wrote:

Please see

https://www.virustotal.com/es-ar/file/323cb1d2f3b9d0678a8e017fedad1da2768c0eb65111937d03c19e0c053b5da4/analysis/1510662252/ 
 
> 




El 14/11/17 a las 09:00, Al Varnell escribió:
According to VirusTotal, ClamAV does detect it as 
Doc.Dropper.Agent-6369707-0
 
>> 



but go ahead and try to submit it anyway.

-Al-

On Tue, Nov 14, 2017 at 03:33 AM, Emanuel wrote:

Hello,

I received two docs files in a email with the Subject "Invoice". 
The attachment is a malware virus, clamav not detected this.


Scan with kaspersky


Scan result
File is infected
Detected threats
Trojan-Downloader.MSWord.Agent.bqx
File size
144.95 KB
File type
OOXML/DOCUMENT
Scan date
Nov 14 2017 08:15:42
Databases release date
Nov 14 2017 10:36:04 UTC
MD5
70bdc39f8f57e090bebc4616924cdadc
SHA1
ecf414f8523627a0d5d6637041f6e1e3bbcee62e
SHA256
142a177f214671f7abd22f9e545595bf56a8116763bb7e9de7368aa1b2d381bf

it's possible to add manually this virus to the clamav database?



___
clamav-users mailing list
clamav-users@lists.clamav.net 
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

-Al-


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml




--
envialosimple.com   
Emanuel Gonzalez
Deliverability Specialist
emanuel.gonza...@donweb.com 
www.envialosimple.com 
by donweb 

Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son 
confidenciales, de uso exclusivo para el destinatario del mismo. La 
divulgación y/o uso del mismo sin autorización por parte de DonWeb.com 
queda prohibida.
DonWeb.com no se hace responsable del mensaje por la falsificación y/o 
alteración del mismo.
De no ser Ud el destinatario del mismo y lo ha recibido por error, por 
favor, notifique al remitente y elimínelo de su sistema.
Confidentiality Note: This message and any attachments (the message) are 
confidential and intended solely for the addressees. Any unauthorised 
use or dissemination is prohibited by DonWeb.com.

DonWeb.com shall not be liable  for the message if altered or falsified.
If you are not the intended addressee of this message, please cancel it 
immediately and inform the sender
Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem 
conter dados confidenciais ou privilegiados.
Se você os recebeu por engano ou não é um dos destinatários aos quais 
ela foi endereçada, por favor destrua-a e a todos os seus eventuais 
anexos ou copias realizadas, imediatamente.
É proibida a retenção, distribuição, divulgação ou utilização de 
quaisquer informações aqui contidas.
Por favor, informenos sobre o recebimento indevido desta mensagem, 
retornando-a para o autor.


___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:

Re: [clamav-users] password protected encrypted .docx files

2017-11-15 Thread Mark Foley
On Wed, 15 Nov 2017 18:37:36 +0100 (CET) Kees Theunissen 
 wrote:

>
> On Wed, 15 Nov 2017, Mark Foley wrote:
>
> >On Wed 15 Nov 2017 01:14:00 -0800 Al Varnell  wrote:
> >
> >>On Tue, Nov 14, 2017 at 07:45 AM, Mark Foley wrote:
> >>> I found this older message in the archives. I'm receiving a lot of fake
> >>> "Invoice" messages with attached encrypted .doc files that run VB scripts 
> >>> and
> >>> execute .exe files.
> >>>
> >>> I'd like to block encrypted Word documents.  Interestingly, as Reindl 
> >>> Harald
> >>> says, ".docx files *are* zip files", but lately I've been getting .doc 
> >>> files
> >>> which are really .docx file.  KDE Dolphin isn't deceived and opens the
> >>> attachment as an archive, but Word in WIN7 goes ahead and opens it as a
> >>> document.  If I rename the document to .docx, then Dolphin opens it in
> >>> LibreOffice.
> >>>
> >>> So, will ArchiveblockEncrypted work on .doc files too? I.e. is clamav 
> >>> smart
> >>> enough to look beyond the extension?
> >>
> >> In general, yes, clamAV doesn't pay attention to extensions and looks for
> >> document signatures that are usually at the top of a file to determine
> >> file type. That being said, I can't confirm exactly how it handles .doc 
> >> and .docx files.
> >>
> >
> >Thanks Al. I'll turn this on and experiment. I'll post back my findings.
> >
> >Does anyone have exerience with this?
>
> I did a few tests some time ago. The encryption/protection
> is implemented by microsoft as a internal format somewhere in
> the office document structure, _not_ as a encrypted zip file.
>
> So ArchiveblockEncrypted won't block encrypted Word documents.
>
>
> Regards,
>
> Kees Theunissen.
>
> -- 
> Kees Theunissen,  System and network manager,   Tel: +31 (0)40-3334724
> Dutch Institute For Fundamental Energy Research (DIFFER)
> e-mail address:   c.j.theunis...@differ.nl
> postal address:   PO Box 6336, 5600 HH, Eindhoven, the Netherlands
> visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands

Ah! Bummer. I thought that might be the case.

Did you ever find a way to identify an encrypted .doc[x] file?

--Mark
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


[clamav-users] Heuristics.Phishing.Email.SpoofedDomain

2017-11-15 Thread micah anderson

Hi,

I keep having people complaining about False Positives due to
Heuristics.Phishing.Email.SpoofedDomain - my research has shown me that
the reason this is happening is because of Outlook's "advanced threat
protection" which wraps urls in a "safelink" url, all the details of
this monstrosity are here:

https://blog.tylerbickford.com/2016/06/16/microsoft-advanced-threat-protection-is-a-disaster/

Leave it to microsoft to implement something so ass-backwards that it
actually does the opposite thing they are trying to achieve and instead
breaks things in an attempt to fix them. Safelinks generates URLs that
are 100% bonafide red-alert, kalxon-sounding phishing. Cut some heads
off of chickens, because its time to run in circles!

I really didn't want to do this, but I followed
https://github.com/vrtadmin/clamav-devel/blob/master/docs/phishsigs_howto.pdf

and I added the following to local.wdb (is this still the right place?!)
to "whitelist" safebrowsing:

X:.+safelinks\.protection\.outlook\.com([/?].*)?:.*([/?].*)?:17

but people are still complaining. Did I do this wrong? Looking again at
the documentation, it appears that it should be '17-' instead of '17',
but I'm not sure that matters.

Is there some better way to deal with this? I do not want to turn off
phishing protection in general.

Thanks for any help you can provide,
micah
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


Re: [clamav-users] password protected encrypted .docx files

2017-11-15 Thread Kees Theunissen
On Wed, 15 Nov 2017, Mark Foley wrote:

>On Wed 15 Nov 2017 01:14:00 -0800 Al Varnell  wrote:
>
>>On Tue, Nov 14, 2017 at 07:45 AM, Mark Foley wrote:
>>> I found this older message in the archives. I'm receiving a lot of fake
>>> "Invoice" messages with attached encrypted .doc files that run VB scripts 
>>> and
>>> execute .exe files.
>>>
>>> I'd like to block encrypted Word documents.  Interestingly, as Reindl Harald
>>> says, ".docx files *are* zip files", but lately I've been getting .doc files
>>> which are really .docx file.  KDE Dolphin isn't deceived and opens the
>>> attachment as an archive, but Word in WIN7 goes ahead and opens it as a
>>> document.  If I rename the document to .docx, then Dolphin opens it in
>>> LibreOffice.
>>>
>>> So, will ArchiveblockEncrypted work on .doc files too? I.e. is clamav smart
>>> enough to look beyond the extension?
>>
>> In general, yes, clamAV doesn't pay attention to extensions and looks for
>> document signatures that are usually at the top of a file to determine
>> file type. That being said, I can't confirm exactly how it handles .doc and 
>> .docx files.
>>
>
>Thanks Al. I'll turn this on and experiment. I'll post back my findings.
>
>Does anyone have exerience with this?

I did a few tests some time ago. The encryption/protection
is implemented by microsoft as a internal format somewhere in
the office document structure, _not_ as a encrypted zip file.

So ArchiveblockEncrypted won't block encrypted Word documents.


Regards,

Kees Theunissen.

-- 
Kees Theunissen,  System and network manager,   Tel: +31 (0)40-3334724
Dutch Institute For Fundamental Energy Research (DIFFER)
e-mail address:   c.j.theunis...@differ.nl
postal address:   PO Box 6336, 5600 HH, Eindhoven, the Netherlands
visitors address: De Zaale 20, 5612 AJ, Eindhoven, the Netherlands

___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


Re: [clamav-users] password protected encrypted .docx files

2017-11-15 Thread Mark Foley
On Wed 15 Nov 2017 01:14:00 -0800 Al Varnell  wrote:

>On Tue, Nov 14, 2017 at 07:45 AM, Mark Foley wrote:
>> I found this older message in the archives. I'm receiving a lot of fake
>> "Invoice" messages with attached encrypted .doc files that run VB scripts and
>> execute .exe files.
>> 
>> I'd like to block encrypted Word documents.  Interestingly, as Reindl Harald
>> says, ".docx files *are* zip files", but lately I've been getting .doc files
>> which are really .docx file.  KDE Dolphin isn't deceived and opens the
>> attachment as an archive, but Word in WIN7 goes ahead and opens it as a
>> document.  If I rename the document to .docx, then Dolphin opens it in
>> LibreOffice. 
>> 
>> So, will ArchiveblockEncrypted work on .doc files too? I.e. is clamav smart
>> enough to look beyond the extension?
>
> In general, yes, clamAV doesn't pay attention to extensions and looks for 
> document signatures that are usually at the top of a file to determine file 
> type. That being said, I can't confirm exactly how it handles .doc and .docx 
> files.
>

Thanks Al. I'll turn this on and experiment. I'll post back my findings.

Does anyone have exerience with this?

>-Al-
>
>> Will ArchiveblockEncrypted block *ALL* encrypted archives including zip?
>> 
>> Finally, Dino Edwards wrote:
>> 
>>> Yes, it is - you can turn ArchiveBlockEncrypted off in clamd.conf (it's off 
>>> by default)
>> 
>> Is that a typeo? Did he mean "you can turn ArchiveBlockEncrypted on in
>> clamd.conf"? Seems like turning this "off" would NOT block encrypted files.
>> 
>> THX --Mark
>> 
>> -Original Message-
>>> Date: Wed, 5 Apr 2017 21:19:47 +0200
>>> From: Reindl Harald >
>>> 
>>> technically .docx *are* zip files
>>> 
>>> Am 05.04.2017 um 21:08 schrieb Dino Edwards:
 Didn't realize the ArchiveblockEncrypted included MS Word files. I thought 
 it would be for password protected zip rar and such
 
 -Original Message-
 From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net 
 ] On Behalf Of Benny Pedersen
 Sent: Wednesday, April 5, 2017 11:22 AM
 To: clamav-users@lists.clamav.net 
 Subject: Re: [clamav-users] password protected encrypted .docx files
 
 Dino Edwards skrev den 2017-04-05 16:48:
> Any way to get clamav to block password protected Microsoft word files?
 
 Yes, it is - you can turn ArchiveBlockEncrypted off in clamd.conf (it's 
 off by default)
 
 if not working pastebin your clamconf (clamav section only) 
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml


Re: [clamav-users] password protected encrypted .docx files

2017-11-15 Thread Al Varnell
On Tue, Nov 14, 2017 at 07:45 AM, Mark Foley wrote:
> I found this older message in the archives. I'm receiving a lot of fake
> "Invoice" messages with attached encrypted .doc files that run VB scripts and
> execute .exe files.
> 
> I'd like to block encrypted Word documents.  Interestingly, as Reindl Harald
> says, ".docx files *are* zip files", but lately I've been getting .doc files
> which are really .docx file.  KDE Dolphin isn't deceived and opens the
> attachment as an archive, but Word in WIN7 goes ahead and opens it as a
> document.  If I rename the document to .docx, then Dolphin opens it in
> LibreOffice. 
> 
> So, will ArchiveblockEncrypted work on .doc files too? I.e. is clamav smart
> enough to look beyond the extension?

In general, yes, clamAV doesn't pay attention to extensions and looks for 
document signatures that are usually at the top of a file to determine file 
type. That being said, I can't confirm exactly how it handles .doc and .docx 
files.

-Al-

> Will ArchiveblockEncrypted block *ALL* encrypted archives including zip?
> 
> Finally, Dino Edwards wrote:
> 
>> Yes, it is - you can turn ArchiveBlockEncrypted off in clamd.conf (it's off 
>> by default)
> 
> Is that a typeo? Did he mean "you can turn ArchiveBlockEncrypted on in
> clamd.conf"? Seems like turning this "off" would NOT block encrypted files.
> 
> THX --Mark
> 
> -Original Message-
>> Date: Wed, 5 Apr 2017 21:19:47 +0200
>> From: Reindl Harald >
>> 
>> technically .docx *are* zip files
>> 
>> Am 05.04.2017 um 21:08 schrieb Dino Edwards:
>>> Didn't realize the ArchiveblockEncrypted included MS Word files. I thought 
>>> it would be for password protected zip rar and such
>>> 
>>> -Original Message-
>>> From: clamav-users [mailto:clamav-users-boun...@lists.clamav.net 
>>> ] On Behalf Of Benny Pedersen
>>> Sent: Wednesday, April 5, 2017 11:22 AM
>>> To: clamav-users@lists.clamav.net 
>>> Subject: Re: [clamav-users] password protected encrypted .docx files
>>> 
>>> Dino Edwards skrev den 2017-04-05 16:48:
 Any way to get clamav to block password protected Microsoft word files?
>>> 
>>> Yes, it is - you can turn ArchiveBlockEncrypted off in clamd.conf (it's off 
>>> by default)
>>> 
>>> if not working pastebin your clamconf (clamav section only) 


smime.p7s
Description: S/MIME cryptographic signature
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml