Hi there, On Thu, 9 Jun 2022, Vangelis Katsikaros via clamav-users wrote:
I am not a security person so I apologize if the question sounds stupid.
It doesn't sound stupid. :)
I'd like to ask if there is a signature in the clamav DB to recognise Microsoft word documents affected by the "Follina" - CVE-2022-30190 remote code execution vulnerability.
This particular vulnerability is worrying because it can be exploited even if the user does not enable Word macros. It can be exploited by things other than Word documents, e.g. just a link in an email: https://forum.eset.com/topic/32571-ms-word-follina-exploit-not-detected/ So as you can imagine it's unlikely that a single signature will be able to provide complete protection. At the moment I know of no ClamAV 'official' signature which addresses the issue in any way at all. I imagine people are working on it. My take on it is that if it's a Word document, a Rich Text File, RAR, ZIP, TGZ and a whole bunch of other things, then no matter what you claim it is, I don't want it. Links are treated with great suspicion. The milters here reflect those views, and have done for many years. There are mitigations for the vulnerability: https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ In the absence of a fix from Microsoft that's your best bet I think but read my first link first. It would not be wise to rely on anti-virus techniques for protection if there's any risk that a user might open a malicious document (or click a malicious link) before it is known to be safe. A null scan result does not mean it's known to be safe. It means the scanner didn't find a threat, which does not mean that there are no threats in there to be found. -- 73, Ged. _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat
