Can you help me to setup clamav for ban macroses.
We have problem with viruses in Word documents.
I found instruction, but do not know in how directory put file with extension "yar".
Starting from ClamAV version 0.99 it supports Yara rules.
So we can use a Yara rule to detect this type of files.
Create a file into your ClamAv library (On Ubuntu it's on /var/lib/clamav/) called as example yara_officemacros.yar
Edit it and write inside this code:
Save the file and restart clamd, and you're doneCode: Select all
rule office_macro { meta: description = "M$ Office document containing a macro" thread_level = 1 in_the_wild = true strings: $a = {d0 cf 11 e0} $b = {00 41 74 74 72 69 62 75 74 00} condition: $a at 0 and $b }