On Mon, December 10, 2018 2:58 pm, Eric Tykwinski wrote:
> Default clam sigs obviously are not catching these, but wondering if
> anyone has them included in a third party that rather FP friendly.
>
> I also just tested a yara from here, and it seems to work, but not
> certain about FPs from it either.
>
Sanesecurity badmacro.ndb and phish.ndb and rogue.hdb will pretty much
cover a lot of those... MiscreantPunch099-Low.ldb for additional detection
but can hit scanning performance.

ClamAV settings in clamd.conf can also be tweaked to block documents with
macro and or passwords.


-- 
Cheers,

Steve
Twitter: @sanesecurity

_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Reply via email to