Hi there, On Thu, 14 Jan 2021, 本多 俊之 wrote:
Password-protected excels are commonly used in our customers. I want to avoid them being identified as viruses. If there is a category that is more suitable for password Excel than Doc.Packed, I want to exclude it.
One of the reasons that malicious senders send so many malicious password protected documents by email is that it is not always easy to detect malware in them without knowledge of the password, so by and large scanners like ClamAV don't attempt to do it (even though most of the time the malicious email will include the password). If you prevent the scanner from alerting on password protected Excel documents, and if your users open more or less any password protected Excel document which comes their way, then you will have a problem because they probably receive malicious documents every day. One way to get around the problem is to educate users. For example you might continue to reject such documents, and suggest your users do not use Excel password protection. Microsoft password protection is in many cases trivially cracked, I've done it for customers when they have lost their passwords. For a simple way of accessing a document without its password, see for example http://www.excelsupersite.com/how-to-remove-an-excel-spreadsheet-password-in-6-easy-steps/ which I found with a simple search and selected more or less at random. The password is limited to fifteen characters, and the password's hash is stored in the document as only a 16 bit number. A much more secure alternative would be to store the unprotected Excel document in a .zip archive, which is itself password protected (and using a more secure password feature such as one provided by the archive tool, or a simple encryption tool like GnuPG and perhaps one of the GUI front ends, of which several are available): https://en.wikipedia.org/wiki/GNU_Privacy_Guard It's much better to use private keys than passwords if you can. It is admittedly a little more effort, but it's well worth it. Whatever you do, arrange to send keys and passwords out-of-band - not in the email with the document! In this way you might be responsible for greatly improving the security of your users' data, and making it much harder for the Bad Guys to compromise your users' computers as well. :)
Is there a description for Doc.Packed somewhere?
The signatures are readily avaiable in the signature database, you can use 'sigtool' to display them. If you mean you would like to see the specification for Excel documents themselves, you could look at https://www.openoffice.org/sc/excelfileformat.pdf but it's 250 pages. -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
