On 12/07/2021 07:40, Dave Funk wrote:
On Sun, 11 Jul 2021, Kevin A. McGrail wrote:
On 7/11/2021 5:11 PM, John Hardin wrote:
"The other parts contain an application/vnd.ms-officetheme and an
application/x-mso file. Which (in addition to the text/xml files)
are used by Microsoft Word to load the embedded Word document."
Would the presence of all three of those MIME types be a scorable
indicator?
If you can get me a spample, I'm sure I can tell you but in general
we block macros so that's all that's needed. Likely the OLEVBMacro
plugin and KAM ruleset is blocking all of these already if you have
the plugin enabled.
Aren't there already rules and heuristics in ClamAV for detecting
VBmacros in office docs?
I've got two copies of ClamAV running, one used as a blocking direct
milter with default rules and another one feeding into the SA
"clamav.pm" plugin with extra rules and heuristics/algorithms enabled.
I quarantine emails that are caught by ClamAV with 'ScanOLE2 true' and
'AlertOLE2Macros true'; these are then checked by command-line tool
mraptor (part of olevba) to see if the macros are truly malicious.
I will try the OLEVBMacro plugin alongside, thanks for the heads up.
