SOLVED: Clamav - ban word documents with macroses

General discussion about Zimbra Desktop.
Post Reply
ILO
Posts: 7
Joined: Wed Jan 23, 2019 10:07 am

SOLVED: Clamav - ban word documents with macroses

Post by ILO »

Hello!

Can you help me to setup clamav for ban macroses.
We have problem with viruses in Word documents.
I found instruction, but do not know in how directory put file with extension "yar".
Starting from ClamAV version 0.99 it supports Yara rules.
So we can use a Yara rule to detect this type of files.

Create a file into your ClamAv library (On Ubuntu it's on /var/lib/clamav/) called as example yara_officemacros.yar
Edit it and write inside this code:

Code: Select all

rule office_macro
{
    meta:
        description = "M$ Office document containing a macro"
        thread_level = 1
        in_the_wild = true
    strings:
        $a = {d0 cf 11 e0}
        $b = {00 41 74 74 72 69 62 75 74 00}
    condition:
        $a at 0 and $b
}
Save the file and restart clamd, and you're done ;-)
Last edited by ILO on Wed Mar 06, 2019 8:50 am, edited 1 time in total.
ILO
Posts: 7
Joined: Wed Jan 23, 2019 10:07 am

Re: Clamav - ban word documents with macroses

Post by ILO »

File must be in this folder:

Code: Select all

/opt/zimbra/data/clamav/db/yara_officemacros.yar
Post Reply