Am 29.12.2016 um 07:30 schrieb demonhunter:
Samples can be easily generated by creating a blank Word or Excel document, creating an empty macro module with a single empty subroutine, and saving the Word/Excel file as a .docm or .xlsm file. Scanning one of these brand new files against a saved copy of the signature shows that it matches (implying that all or nearly all modern Office 2007+ files containing VBA macros would have matched this rule):
yeah, but only the docm/xlsm and frankly on a sane inbound mailserver you reject them unconditional - i have even seen servers in the wild rejecting xls/doc and use xlsx/docx because they *could* contain macros to keep all the crypto malware out of the house
signatures where and will be always too late for the last recent malware and hence in 2016 macros and executeables don't belong into emails at all
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
