Mailing List Archive

On 12/22/2020 5:51 PM, Joe Acquisto-j4 wrote:
> Quite new to clamav. Using with Spamassassin on Linux and it appears to scan properly and detects EICAR as an attachment.
>
> For last several weeks have been getting SPAM with xlsm file attached, claiming to be invoice or payment receipt or whatever. "Please open" sort of messages.
>
> Since these are macro enabled, and clearly have no validity in my context, one presumes malicious intent. ClamAV does not detect any evil thing-lets, but then, I have scanned the files with other AV products and they do not detect anything either.
>
> So, why do I worry? Am I deluded as to the potential danger or have I simply failed to properly inform the AV products, ClamAV specifically, to inspect these files properly? Or, must I add additional (signature?) packages I am not aware of?
>
> joe a.
>
Joe, you might look at enabling the OLEVBMacro plugin and adding the KAM
Ruleset, https://mcgrail.com/template/kam.cf_channel, which has rules to
help combat these type of spam emails.

Regards,
KAM


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

>>On 12/22/2020 5:51 PM, Joe Acquisto-j4 wrote:
>> Quite new to clamav. Using with Spamassassin on Linux and it appears to
> scan properly and detects EICAR as an attachment.
>>
>> For last several weeks have been getting SPAM with xlsm file attached,
> claiming to be invoice or payment receipt or whatever. "Please open" sort of
> messages.
>>
>> Since these are macro enabled, and clearly have no validity in my context,
> one presumes malicious intent. ClamAV does not detect any evil thing-lets,
> but then, I have scanned the files with other AV products and they do not
> detect anything either.
>>
>> So, why do I worry? Am I deluded as to the potential danger or have I
> simply failed to properly inform the AV products, ClamAV specifically, to
> inspect these files properly? Or, must I add additional (signature?)
> packages I am not aware of?
>>
>> joe a.
>>
> Joe, you might look at enabling the OLEVBMacro plugin and adding the KAM
> Ruleset, https://mcgrail.com/template/kam.cf_channel, which has rules to
> help combat these type of spam emails.
>
> Regards,
> KAM
>

Kevin, I hesitate to ask here, but, you refer to SA I believe? I've been lurking there regarding the KAM discussion.

joe a.



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Tue, 22 Dec 2020, Joe Acquisto-j4 wrote:

> ... "Please open" sort of messages.

These are extremely common. They aren't all xlsm attachments but it's
quite ususal for them to contain malicious macros - generally aimed at
Windows boxes, but you must never be complacent even on Linux.

> ... ClamAV does not detect any evil thing-lets ... other AV products
> ... do not detect anything either.

AV products will very rarely catch more than three out of four threats
and one in three is my rule of thumb. That means I expect the scanner
to miss two out of three threats. Since I typically see thousands of
attacks per month I'd be foolish to rely on AV to protect my systems.

> So, why do I worry?

Because you're right to worry. Why do I scan? :)

Essentially I stop a lot of spam with the third-party signatures, but
I always want to know more. It's interesting to see what gets missed.

> Am I deluded as to the potential danger or have I simply failed to
> properly inform the AV products, ClamAV specifically, to inspect
> these files properly? Or, must I add additional (signature?)
> packages I am not aware of?

No, you're not deluded. The trouble is it's a moving target and in my
view the best way of defending against these threats is "nuke 'em from
orbit, it's the only way to be sure". So anything that arrives here
with any attachment gets short shrift if it's not expected, and if it
is expected it gets looked at carefully. If you try to stop evrything
with signatures etc.

It's pretty easy to filter out anything with an attachment, and with a
bit of perspiration you can be quite selective about it. None of that
need rely on ClamAV, but to stop all the junk you've mentioned you can
write simple Yara rules and drop them in the ClamAV database directory.

Here's an example file. Call it 'something.yara', put it in the ClamAV
database directory, reload clamd if it's running, see what it does.

8<----------------------------------------------------------------------
rule My_Spam_Rule // block some random spam
{
strings:
$gmatcha = /\r\nSubject:[\W\w]*B2B marketing/ nocase ascii
$gmatchb = /\r\nSubject:[\W\w]*Free SEO Audit/ nocase ascii
$gmatchc = "Summ Now" nocase ascii
condition:
$gmatcha or $gmatchb or $gmatchc
}
8<----------------------------------------------------------------------

Modifying it to catch a string in the mail body which talks about an
xlsm file is left as an exercise for the reader.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Hi there,

On Tue, 22 Dec 2020, G.W. Haywood via clamav-users wrote:

> If you try to stop evrything with signatures etc.

Something went wrong with the connection between my brain and my
keyboard there, sorry. I meant to write ...

If you try to stop everything with signatures etc. you'll spend the
rest of your life doing it, and fail.

... or something like that.

--

73,
Ged.

_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

>>>
> Hi there,
>
> On Tue, 22 Dec 2020, G.W. Haywood via clamav-users wrote:
>
>> If you try to stop evrything with signatures etc.
>
> Something went wrong with the connection between my brain and my
> keyboard there, sorry. I meant to write ...
>
> If you try to stop everything with signatures etc. you'll spend the
> rest of your life doing it, and fail.
>
> ... or something like that.
>
> --
>
> 73,
> Ged.
>

NP. That is what I thought you meant. My day has been pretty much the same.

joe a


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

On 12/22/2020 6:08 PM, Joe Acquisto-j4 wrote:
>> Joe, you might look at enabling the OLEVBMacro plugin and adding the KAM
>> Ruleset,https://mcgrail.com/template/kam.cf_channel, which has rules to
>> help combat these type of spam emails.
>>
>> Regards,
>> KAM
>>
> Kevin, I hesitate to ask here, but, you refer to SA I believe? I've been lurking there regarding the KAM discussion.

Hi Joe, yep, I am referring to a plugin and ruleset for Apache
SpamAssassin, apologies for my lack of clarity.    Though we are working
on using our honeypot data to generate a clamav signature file for
malicious content.  We've also been working on tooling to automate it. 
I thought it was on https://github.com/The-McGrail-Foundation but
perhaps someone made it private by accident but I'll get it added under
mcgrail.com soon. Contact me off-list if you might be interested in
testing/developing!

Regards,
KAM