[CentOS] Detecting empty office doc containing virus macro
Ned Slider
ned at unixmail.co.uk
Wed Oct 28 21:12:19 UTC 2015
On 28/10/15 11:55, Gary Stainburn wrote:
> We are receiving LOTS of emails that contain empty XLS or DOC documents with
> embedded virus macros. These are getting past SPAMASSASSIN, Clamav and
> Kaspersky.
>
> I'm trying to write a filter for EXIM to block these emails but I need to know
> a good, quick, command-line to detect an empty doc with a macro.
>
> Is there anything available that I can use??
>
> I have managed to write a PERL script to detect empty xls xlsx, doc and docx
> files but I cannot detect whether they have any macros embedded
>
> Gary
If you've got a script to detect empty docs then it should be relatively
easy to detect these. I assume empty attachments are not normal in your
mail flows?
I would look to write some custom SpamAssassin rules, maybe
incorporating your script, to detect these and filter them out.
Are you able to post some examples to pastebin?
More information about the CentOS
mailing list