[sanesecurity] Re: YARA.docx_macro.UNOFFICIAL

From: Neil <nwilson123@xxxxxxxxx>
To: sanesecurity@xxxxxxxxxxxxx
Date: Mon, 30 Oct 2017 13:04:02 +0200

Hi Steve,

Thanks for coming back to me so quickly.

On Mon, Oct 30, 2017 at 12:26 PM, Steve Basford <
steveb_clamav@xxxxxxxxxxxxxxxx> wrote:

On Mon, October 30, 2017 9:53 am, Neil wrote:

Hi guys,

Please could someone assist, I can't seem to whitelist the above
signature, as I'm getting quite a few false positives.

YARA.docx_macro is contained in the Yara rules set EMAIL_Cryptowall.yar
are you using Yara rules.

In your config file, might be worth changing this entry to "no"

yararulesproject_enabled="yes"

I am using Yara, but was wanting to disable it after my whitelisting
attempts failed, and in my master.conf as well as user.conf I've changed

master.conf:yararulesproject_enabled="no"
master.conf:enable_yararules="no"

...but the emails are still being blocked by Yara. Do I need to manually
remove the yara rules from my clamav DB folder perhaps?

I did restart clamd after setting to no, but they still got blocked.

badmacro.ndb and phish.ndb should then take care of the bad stuff in
macros.

I did manage to whitelist a sig called
"Sanesecurity.Malware.27218.XmlHeur.Gfx" so I know my whitelist file
(/opt/zimbra/data/clamav/db/sigwhitelist.ign2) is working, but no matter
what I do to the Yara rule it still gets blocked.

I've had a quick look, with another Yara test file and can't seem to get
it working either, might need a bugzilla entry, once I'd done a few more
tests.

Thanks so much for the assistance!

References:
- [sanesecurity] YARA.docx_macro.UNOFFICIAL
  - From: Neil
- [sanesecurity] Re: YARA.docx_macro.UNOFFICIAL
  - From: Steve Basford

[sanesecurity] Re: YARA.docx_macro.UNOFFICIAL

Other related posts: