[sanesecurity] Re: YARA.docx_macro.UNOFFICIAL

• From: "Steve Basford" <steveb_clamav@xxxxxxxxxxxxxxxx>
• To: sanesecurity@xxxxxxxxxxxxx
• Date: Mon, 30 Oct 2017 10:26:52 -0000

On Mon, October 30, 2017 9:53 am, Neil wrote:

Hi guys,


Please could someone assist, I can't seem to whitelist the above
signature, as I'm getting quite a few false positives.

YARA.docx_macro is contained in the Yara rules set EMAIL_Cryptowall.yar
are you using Yara rules.

In your config file, might be worth changing this entry to "no"

yararulesproject_enabled="yes"

badmacro.ndb and phish.ndb should then take care of the bad stuff in macros.

I did manage to whitelist a sig called
"Sanesecurity.Malware.27218.XmlHeur.Gfx" so I know my whitelist file
(/opt/zimbra/data/clamav/db/sigwhitelist.ign2) is working, but no matter
what I do to the Yara rule it still gets blocked.

I've had a quick look, with another Yara test file and can't seem to get
it working either, might need a bugzilla entry, once I'd done a few more
tests.

-- 
Cheers,

Steve
Twitter: @sanesecurity

• Follow-Ups:
  • [sanesecurity] Re: YARA.docx_macro.UNOFFICIAL
    • From: Neil

• References:
  • [sanesecurity] YARA.docx_macro.UNOFFICIAL
    • From: Neil

Other related posts:

• » [sanesecurity] YARA.docx_macro.UNOFFICIAL- Neil
• » [sanesecurity] Re: YARA.docx_macro.UNOFFICIAL - Steve Basford
• » [sanesecurity] Re: YARA.docx_macro.UNOFFICIAL- Neil
• » [sanesecurity] Re: YARA.docx_macro.UNOFFICIAL- Neil
• » [sanesecurity] Re: YARA.docx_macro.UNOFFICIAL- TR Shaw

1. Home
2. sanesecurity
3. Archive
4. 10-2017

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---