Security and privacy

using ClamAV to scan for malicious macros in office files

 
Picture of Moodle Admin
Re: using ClamAV to scan for malicious macros in office files
 

Hi Patrick

ClamAv gives support YARA rules so you can create the below YARA file  under the directory 

/var/lib/clamav to scan Office files with macros. After creating file restart clamd service.


rule office_macro
{
    meta:
        description = "M$ Office document containing a macro"
        thread_level = 1
        in_the_wild = true
    strings:
        $a = {d0 cf 11 e0}
        $b = {00 41 74 74 72 69 62 75 74 00}
    condition:
        $a at 0 and $b
}
 
Average of ratings: Useful (2)