On Mon, December 10, 2018 2:58 pm, Eric Tykwinski wrote: > Default clam sigs obviously are not catching these, but wondering if > anyone has them included in a third party that rather FP friendly. > > I also just tested a yara from here, and it seems to work, but not > certain about FPs from it either. > Sanesecurity badmacro.ndb and phish.ndb and rogue.hdb will pretty much cover a lot of those... MiscreantPunch099-Low.ldb for additional detection but can hit scanning performance.
ClamAV settings in clamd.conf can also be tweaked to block documents with macro and or passwords. -- Cheers, Steve Twitter: @sanesecurity _______________________________________________ clamav-users mailing list firstname.lastname@example.org http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml