Mailing List Archive

Hi there,

On Tue, 8 Sep 2020, Hugo Boss via clamav-users wrote:

> I would to like to know how can I block with clamav libreoffice files with
> macro as MS Office files:
>
> I turn :
> OLE2BlockMacros yes
> DetectPUA yes
>
> But no result.

I'm not quite sure I understand exactly what you want to do, but if
you look into how a LibreOffice file stores information you might see
a way to achieve what you want. The files are generally compressed
archives which contain a number of files and directories. It's very
easy to unzip them and inspect the extracted directory structure.

Then you can take a view. Macros are usually (but not always) written
in a form of BASIC, so you might for example want to consider blocking
the file if there's a directory called 'Basic' in the extracted tree.

I don't know how easy or time consuming it will be to do that with the
signatures that you can write for ClamAV, but I'm sure it's possible.
See the ClamAV documentation for more about writing signatures.

After you've written such a signature, I'm sure it will be fairly easy
to imagine ways that a malicious sender might get around it. In my
view it's easier and probably more reliable to block things based on
information about the source of a document than it is to try to cover
every possibile way of hiding malicious stuff in it.

Bear in mind that a lot of macros are perfectly harmless and the user
who sent a document might not even know that there are macros in it.

If you have samples of documents containing malicious macros whihc
ClamAV doesn't at the moment detect I'm sure that the ClamAV team
would be interested to see them.

Finally, before you go reinventing any wheels don't overlook the
various sources of third-party signatures for ClamAV which might do
what you need already.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi Hugo,

I don’t think ClamAV presently supports macro detection and macro blocking in libreoffice format documents, outside of the Microsoft office formats that libreoffice supports.
As a side note, for VBA and Excel 4.0 style macros, ClamAV is getting some improved macro detection in the soon-to-be-released 0.103 version.

Which office document formats exactly are you testing with?

Ged’s idea to write signatures to detect the macros is one possible solution though ideally ClamAV’s macro-blocking feature would work for all document formats.

Regards,
Micah

From: clamav-users <clamav-users-bounces@lists.clamav.net> On Behalf Of Hugo Boss via clamav-users
Sent: Tuesday, September 8, 2020 5:41 AM
To: clamav-users@lists.clamav.net
Cc: Hugo Boss <momphh@gmail.com>
Subject: [clamav-users] clamav blocking libreoffice macro

Hello,

I would to like to know how can I block with clamav libreoffice files with macro as MS Office files:

I turn :
OLE2BlockMacros yes
DetectPUA yes

But no result.

Kind of regards.

Hello
Thanks for your answer. In fact we have issues with Emotet malware and we
have to block macro. No problem with OLE2 format MS office but no detection
with libreoffice macro format.

Le mar. 8 sept. 2020 à 18:17, Micah Snyder (micasnyd) <micasnyd@cisco.com>
a écrit :

> Hi Hugo,
>
>
>
> I don’t think ClamAV presently supports macro detection and macro blocking
> in libreoffice format documents, outside of the Microsoft office formats
> that libreoffice supports.
>
> As a side note, for VBA and Excel 4.0 style macros, ClamAV is getting some
> improved macro detection in the soon-to-be-released 0.103 version.
>
>
>
> Which office document formats exactly are you testing with?
>
>
>
> Ged’s idea to write signatures to detect the macros is one possible
> solution though ideally ClamAV’s macro-blocking feature would work for all
> document formats.
>
>
>
> Regards,
>
> Micah
>
>
>
> *From:* clamav-users <clamav-users-bounces@lists.clamav.net> *On Behalf
> Of *Hugo Boss via clamav-users
> *Sent:* Tuesday, September 8, 2020 5:41 AM
> *To:* clamav-users@lists.clamav.net
> *Cc:* Hugo Boss <momphh@gmail.com>
> *Subject:* [clamav-users] clamav blocking libreoffice macro
>
>
>
> Hello,
>
>
>
> I would to like to know how can I block with clamav libreoffice files with
> macro as MS Office files:
>
>
>
> I turn :
>
> OLE2BlockMacros yes
>
> DetectPUA yes
>
>
>
> But no result.
>
>
>
> Kind of regards.
>

Hi Hugo,

On Wed, 9 Sep 2020, Hugo Boss via clamav-users wrote:

> ... we have issues with Emotet malware ...

If you have a sample of a malicious message which you wouldn't mind
sending to me privately I'd be happy to see if my milter can persuade
ClamAV to detect it.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On 9/9/20 1:52 PM, G.W. Haywood via clamav-users wrote:
> Hi Hugo,
>
> On Wed, 9 Sep 2020, Hugo Boss via clamav-users wrote:
>
>> ... we have issues with Emotet malware ...
>
> If you have a sample of a malicious message which you wouldn't mind
> sending to me privately I'd be happy to see if my milter can persuade
> ClamAV to detect it.
>
I am interested in a sample as well, Apache SpamAssassin could be improved to detect this kind of malicious messages (if it doesn't catch them atm).
Giovanni

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Could I have a sample too.

I've got a test sig to block libreoffice samples but would like to confirm
more.

On 9 September 2020 13:31:49 Giovanni Bechis <giovanni@paclan.it> wrote:

> On 9/9/20 1:52 PM, G.W. Haywood via clamav-users wrote:
>> Hi Hugo,
>>
>> On Wed, 9 Sep 2020, Hugo Boss via clamav-users wrote:
>>
>>> ... we have issues with Emotet malware ...
>>
>> If you have a sample of a malicious message which you wouldn't mind
>> sending to me privately I'd be happy to see if my milter can persuade
>> ClamAV to detect it.
>>
> I am interested in a sample as well, Apache SpamAssassin could be improved
> to detect this kind of malicious messages (if it doesn't catch them atm).
> Giovanni
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml


Cheers,

Steve
Twitter: @sanesecurity