On 03/10/16 21:30, John Hardin wrote:
ClamAV is probably the correct approach to macro-based malware, unless
we want to do a MS Office document plugin with something like an eval
ClamAV does allow macro detection, but it depends on the MTA glue used
whether you can use this feature.
With the feedback of Alex I've put together a plugin which detects the
presence of a MS Office Macro with a few other bits.
Testing shows to be speedy and reliable enough, though seemingly lots of
legit emails have Macro attachments but this should help build
- Detects macros - both old and new style
- Basic 'malicious' macro detection
- Protected (encrypted) document detection