G.W. Haywood via clamav-users wrote:
One of the reasons that malicious senders send so many malicious
password protected documents by email is that it is not always easy
to detect malware in them without knowledge of the password, so by
and large scanners like ClamAV don't attempt to do it (even though
most of the time the malicious email will include the password).
If you prevent the scanner from alerting on password protected Excel
documents, and if your users open more or less any password protected
Excel document which comes their way, then you will have a problem
because they probably receive malicious documents every day.
I deal with this class of FP by disabling the FP-causing checks in the
primary Clam instance, and enabling them in a secondary instance with a
different set of signatures whose results are scored in SpamAssasin
instead of treated as an absolute go/no-go result. (Or calling ClamAV
from a mediating layer in the mail flow that can achieve much the same
result.)
I don't recall coming across any hits in this particular category, but
what pushed me into this was the stream of otherwise legitimate "You
should really know better"-ish mail from (marketing partners of) banks
that kept triggering Heuristics.Phishing.Email.SpoofedDomain, and the
hassle of figuring out what URL some marketroid had inventively mangled
*this* time.
One way to get around the problem is to educate users. For example
you might continue to reject such documents, and suggest your users do
not use Excel password protection. Microsoft password protection is
in many cases trivially cracked, I've done it for customers when they
have lost their passwords. For a simple way of accessing a document
without its password, see for example
http://www.excelsupersite.com/how-to-remove-an-excel-spreadsheet-password-in-6-easy-steps/
which I found with a simple search and selected more or less at random.
Unfortunately that doesn't address a password-protected *document*, it
just describes allowing changes to locked spreadsheet pages. (IE, a
document you can open, but to some degree can't modify.)
-kgd
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
