On 22/12/15 08:04, Axb wrote:
On 12/21/2015 11:46 PM, Alex wrote:
Hi all,
For the past few days we've been hit with Word macro viruses/spam that
isn't being tagged by clamav or spamassassin, and I thought someone
might be able to take a look:
http://pastebin.com/cAWcAbm2
This one still isn't tagged by clamav/sanesecurity. I've submitted
this sample, so perhaps it is now, but I thought someone might have
some ideas for a meta or something else in the message that could more
generally tag these?
Anyone else seeing these? I've also already added the IP to the client
blocklist.
You may need to add some commercial AV to your layer...
https://www.virustotal.com/en/file/cbf2c9dd334e786e53958927c05ac1c3f749de21e9e0b1cb551c5b8dd3e34a56/analysis/1450770862/
quite a few to choose from...
I've been seeing some of these Word docs with macros in the last few
days as well. The worrying thing is that some of the (reputable)
commercial AV scanners still don't detect them after being in the wild
for at least two days:
https://www.virustotal.com/en/file/b2a8a2afe818469ba48a3dbafec9ce4ed49ebc0ab7ff0de68f743e4eab3fa5e1/analysis/1450775869/
In terms of ClamAV, I've had next to zero hit rates for new viruses
arriving over email in the last few months (although it is being updated
regularly) - so I'm starting to wonder if there is any point in using
ClamAV for scanning emails at all.