Dianne Skoll skrev den 2015-09-09 16:44:
ClamAV is totally useless.
why ?
Here's a trick: Macro viruses must define a subroutine called
"Document_Open"
thanks for that note i will keep in mind
So finding the string "Document_Open" case-insensitively in an MS
Office file is a red flag.
with can be used to reject in clamav milter no ?
If you don't find it directly, use
unzip -p (the so called "pipe mode") to look for that same string
case-insensitively in the more modern MS Office files, which are really
just zip files in disguise.
and i belived i was the only one that creates clamav signatures :=)
There will be some false-positives because some legitimate MS Office
files
(boooo....) auto-execute macros on document open, but IMO the danger
posed
by macro viruses makes the tradeoff worth it.
pdf files with javascript are much better :=)
