On 03/10/16 21:30, John Hardin wrote:
ClamAV is probably the correct approach to macro-based malware, unless
we want to do a MS Office document plugin with something like an eval
for has_macros().


ClamAV does allow macro detection, but it depends on the MTA glue used
whether you can use this feature.

With the feedback of Alex I've put together a plugin which detects the
presence of a MS Office Macro with a few other bits.

Testing shows to be speedy and reliable enough, though seemingly lots of
legit emails have Macro attachments but this should help build
metas/help detection.

https://github.com/fmbla/spamassassin-olemacro

- Detects macros - both old and new style
- Basic 'malicious' macro detection
- Protected (encrypted) document detection

Paul
--
Paul Stead
Systems Engineer
Zen Internet

Reply via email to