Mailing List Archive

Rule for false extension rtf
Lately there have been several malware rtf files with doc
extension, that I have received by e-mail and that are not immediately
recognized by clamav. From virustotal scan they appear to be RTF bug
exploits.
Since clamav has special type support for rtf, would it be
possible to write custom rule to block rtf files with doc extension?

--
Virgo Pärna
irgo.parna@mail.ee


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Rule for false extension rtf [ In reply to ]
On 10/07/2019 07:59, Virgo Pärna via clamav-users wrote:
> Lately there have been several malware rtf files with doc
> extension, that I have received by e-mail and that are not immediately
> recognized by clamav. From virustotal scan they appear to be RTF bug
> exploits.
> Since clamav has special type support for rtf, would it be
> possible to write custom rule to block rtf files with doc extension?

Noting I often rename rtf files to doc - because when someone insists on
a "word doc" and you send them a .rtf, when they complain you sent them
the "wrong thing" you are in a lose/lose situation (if you correct them,
they resent it, if you don't, they think you did something wrong)


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml
Re: Rule for false extension rtf [ In reply to ]
ClamAV doesn't have the ability at present to signature on scan target filenames, with exception to names of files in archives. ClamAV uses the filenames a little more in 0.101+, but historically the scanning engine hasn't had access to filenames, only file content.

Micah

?On 7/10/19, 3:05 AM, "clamav-users on behalf of Dave Howe via clamav-users" <clamav-users-bounces@lists.clamav.net on behalf of clamav-users@lists.clamav.net> wrote:

On 10/07/2019 07:59, Virgo Pärna via clamav-users wrote:
> Lately there have been several malware rtf files with doc
> extension, that I have received by e-mail and that are not immediately
> recognized by clamav. From virustotal scan they appear to be RTF bug
> exploits.
> Since clamav has special type support for rtf, would it be
> possible to write custom rule to block rtf files with doc extension?

Noting I often rename rtf files to doc - because when someone insists on
a "word doc" and you send them a .rtf, when they complain you sent them
the "wrong thing" you are in a lose/lose situation (if you correct them,
they resent it, if you don't, they think you did something wrong)


_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



_______________________________________________

clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users


Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml