Hi,
Could you grep docx_macro in your clamav folder.
Try adding YARA. docx_macro to ignore.ign2
Which should whitelist the Sig for now
Cheers,
Steve
Web: sanesecurity.com
Blog: sanesecurity.blogspot.com
Twitter: @sanesecurity
On 6 June 2016 10:26:09 Sujit Acharyya-choudhury <s.choudhury@xxxxxxxxx> wrote:
I have situation where two institutions are unable to exchange documents due
to FP in docm file.
The latest one is given below:
This message contains a virus (YARA.docx_macro.UNOFFICIAL).
In master.conf, I have the following rule:
# ========================
# Enabled Databases
# ========================
# Set to no to disable an entire database, if the database is empty it will
also be disabled.
sanesecurity_enabled="yes" # Sanesecurity
securiteinfo_enabled="yes" # SecuriteInfo
linuxmalwaredetect_enabled="yes" # Linux Malware Detect
malwarepatrol_enabled="yes" # Malware Patrol
yararulesproject_enabled="no" # Yara-Rule Project, automatically disabled
if clamav is older than 0.99
additional_enabled="yes" # Additional Databases
And the signature files showing anything with YARA
#ls -lt /var/lib/clamav|grep yara
-rw-r--r--. 1 clam clam 2171 May 27 13:45 winnow_malware.yara
-rw-r--r--. 1 clam clam 1233 Feb 22 12:21 Sanesecurity_spam.yara
-rw-r--r--. 1 clam clam 1462 Jul 1 2015 Sanesecurity_sigtest.yara
I have checked the "offending file" in virustotal and none has flagged it up
as a malware.
Is there anything I can do.
Regards
Sujit
Sujit Choudhury | IT Services
