[CentOS] Detecting empty office doc containing virus macro
Gary Stainburn
gary at ringways.co.uk
Thu Oct 29 10:51:16 UTC 2015
On Wednesday 28 October 2015 21:12:19 Ned Slider wrote:
> On 28/10/15 11:55, Gary Stainburn wrote:
> > We are receiving LOTS of emails that contain empty XLS or DOC documents
> > with embedded virus macros. These are getting past SPAMASSASSIN, Clamav
> > and Kaspersky.
> >
> > I'm trying to write a filter for EXIM to block these emails but I need to
> > know a good, quick, command-line to detect an empty doc with a macro.
> >
> > Is there anything available that I can use??
> >
> > I have managed to write a PERL script to detect empty xls xlsx, doc and
> > docx files but I cannot detect whether they have any macros embedded
> >
> > Gary
>
> If you've got a script to detect empty docs then it should be relatively
> easy to detect these. I assume empty attachments are not normal in your
> mail flows?
>
I have come to the conculsiion that I am just going to have to stick with
detecting empty documents and forget the macro checks.
> I would look to write some custom SpamAssassin rules, maybe
> incorporating your script, to detect these and filter them out.
I would love to be able to write custom Spamassassin rules but do not know how
to do this. All I have done in the past is add small pattern matching rules
to local.cf
Another rule I would like to add to Spamassassin is to catch emails where the
subject starts with the email local part in brackets as we get a LOT of those
too.
>
> Are you able to post some examples to pastebin?
http://www.stainburn.com/virus_files/I0000040777.doc
http://www.stainburn.com/virus_files/FAX_20151028_1445421437_89.doc
More information about the CentOS
mailing list