On Sun, 11 Jul 2021, Kevin A. McGrail wrote:
On 7/11/2021 5:11 PM, John Hardin wrote:
"The other parts contain an application/vnd.ms-officetheme and an
application/x-mso file. Which (in addition to the text/xml files) are used
by Microsoft Word to load the embedded Word document."
Would the presence of all three of those MIME types be a scorable
indicator?
If you can get me a spample, I'm sure I can tell you but in general we block
macros so that's all that's needed. Likely the OLEVBMacro plugin and KAM
ruleset is blocking all of these already if you have the plugin enabled.
Regards,
KAM
Aren't there already rules and heuristics in ClamAV for detecting VBmacros in
office docs?
I've got two copies of ClamAV running, one used as a blocking direct milter with
default rules and another one feeding into the SA "clamav.pm" plugin with extra
rules and heuristics/algorithms enabled.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{