On 10/14/2016 02:49 PM, Paul Stead wrote:

On 03/10/16 21:30, John Hardin wrote:
ClamAV is probably the correct approach to macro-based malware, unless
we want to do a MS Office document plugin with something like an eval
for has_macros().

ClamAV does allow macro detection, but it depends on the MTA glue used
whether you can use this feature.

With the feedback of Alex I've put together a plugin which detects the
presence of a MS Office Macro with a few other bits.

Testing shows to be speedy and reliable enough, though seemingly lots of
legit emails have Macro attachments but this should help build
metas/help detection.


- Detects macros - both old and new style
- Basic 'malicious' macro detection
- Protected (encrypted) document detection

This looks like a fine pre-Xmas gift :)

How's the performance. I know you run hi traffic sites.
Have you felt a difference?



Reply via email to