I have removed that rule from winnow_malware.yara. It blocks Word documents
with macros that are enabled. Given the fact that this is a major vector of
ransomware I think removing this rules is risky.
I will continue to use that rule locally. We have a policy that if you need to
email word docs with macros they must be in encrypted zips.
For those that want to use the rule locally, here it is:
/*
Description: Stops Word docs with VBA. Used by lucky
Priority: 5
Scope: Against Attachment
Tags: None
Created in PhishMe's Triage on September 14, 2015 2:35 PM
*/
rule docx_macro
{
strings:
$header="PK"
$vbaStrings="word/vbaProject.bin" nocase
condition:
$header at 0 and $vbaStrings
}
On Nov 6, 2017, at 4:59 AM, Neil <nwilson123@xxxxxxxxx> wrote:
Hi Steve,
Not sure if this is expected but in order to prevent emails being blocked I
had to disable...
#winnow_malware.yara|LOW # detect spam
in my master.conf and then remove/move winnow_malware.yara out of my
/opt/zimbra/data/clamav/db
Hope this helps someone else battling with this issue.
Thanks.
Regards.
Neil Wilson
On Mon, Oct 30, 2017 at 1:04 PM, Neil <nwilson123@xxxxxxxxx
<mailto:nwilson123@xxxxxxxxx>> wrote:
Hi Steve,
Thanks for coming back to me so quickly.
On Mon, Oct 30, 2017 at 12:26 PM, Steve Basford
<steveb_clamav@xxxxxxxxxxxxxxxx <mailto:steveb_clamav@xxxxxxxxxxxxxxxx>>
wrote:
On Mon, October 30, 2017 9:53 am, Neil wrote:
Hi guys,
Please could someone assist, I can't seem to whitelist the above
signature, as I'm getting quite a few false positives.
YARA.docx_macro is contained in the Yara rules set EMAIL_Cryptowall.yar
are you using Yara rules.
In your config file, might be worth changing this entry to "no"
yararulesproject_enabled="yes"
I am using Yara, but was wanting to disable it after my whitelisting attempts
failed, and in my master.conf as well as user.conf I've changed
master.conf:yararulesproject_enabled="no"
master.conf:enable_yararules="no"
...but the emails are still being blocked by Yara. Do I need to manually
remove the yara rules from my clamav DB folder perhaps?
I did restart clamd after setting to no, but they still got blocked.
badmacro.ndb and phish.ndb should then take care of the bad stuff in macros.
I did manage to whitelist a sig called
"Sanesecurity.Malware.27218.XmlHeur.Gfx" so I know my whitelist file
(/opt/zimbra/data/clamav/db/sigwhitelist.ign2) is working, but no matter
what I do to the Yara rule it still gets blocked.
I've had a quick look, with another Yara test file and can't seem to get
it working either, might need a bugzilla entry, once I'd done a few more
tests.
Thanks so much for the assistance!
