Detecting Crypto Trojans
Tone.Kravanja at alarix.si
Fri Feb 19 13:07:46 CET 2016
On our side I have reacted in banning the messages that have specifficaly named attachment (lately those were invoice_2016_52323.doc). So we are blocking those. But to answer your question. I tried F-Prot virus scanner and one of the results it gives back is number of macros discovered in the document. So you could use that to reject documents with macros.
From: Ralf Kirmis [mailto:rk at wizard.de]
Sent: Friday, February 19, 2016 9:08 AM
To: amavis-users at amavis.org
Subject: Detecting Crypto Trojans
does someone have an idea how to block those crypto trojans, which come in as office documents with enabled macros?
The patterns from Virus Scanners are actuelly behind the waves that come in.
Is it possible to detect macros in office documents and treat those mails as viruses or banned attachments?
We don't like the idea to block all office documents, wether macros or not.
More information about the amavis-users