On Thu, 9 Jun 2022, Vangelis Katsikaros via clamav-users wrote: > I am not a security person so I apologize if the question sounds stupid.
It doesn't sound stupid. :) > I'd like to ask if there is a signature in the clamav DB to recognise
> Microsoft word documents affected by the "Follina" - CVE-2022-30190 remote
> code execution vulnerability.
This particular vulnerability is worrying because it can be exploited
even if the user does not enable Word macros. It can be exploited by
things other than Word documents, e.g. just a link in an email: https://forum.eset.com/topic/32571-ms-word-follina-exploit-not-detected/
So as you can imagine it's unlikely that a single signature will be
able to provide complete protection.
At the moment I know of no ClamAV 'official' signature which addresses
the issue in any way at all. I imagine people are working on it.
My take on it is that if it's a Word document, a Rich Text File, RAR,
ZIP, TGZ and a whole bunch of other things, then no matter what you
claim it is, I don't want it. Links are treated with great suspicion.
The milters here reflect those views, and have done for many years.
There are mitigations for the vulnerability: https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
In the absence of a fix from Microsoft that's your best bet I think
but read my first link first.
It would not be wise to rely on anti-virus techniques for protection
if there's any risk that a user might open a malicious document (or
click a malicious link) before it is known to be safe. A null scan
result does not mean it's known to be safe. It means the scanner
didn't find a threat, which does not mean that there are no threats
in there to be found.
clamav-users mailing list
Help us build a comprehensive ClamAV guide: https://github.com/Cisco-Talos/clamav-documentation https://docs.clamav.net/#mailing-lists-and-chat