ClamAV added support for YARA rules since version 0.99, with that you can write your own custom rules based on textual or binary patterns.
To start using YARA rules, you can either enable root login, or enable FTP, to be able to add/upload new .yar or .yara files to the following path /storage/antivirus/clamav/bases/
In this article we will add yara_office.yar file, that will block Office files that contains a macro.
rule office_macro
{
meta:
description = "Microsoft Office document containing a macro"
thread_level = 1
in_the_wild = true
strings:
$a = {d0 cf 11 e0}
$b = {00 41 74 74 72 69 62 75 74 00}
condition:
$a at 0 and $b
}
The rule should be applied when freshclam runs its scheduled update.
If you want to enable it only for a certain recipient domains, you can create an override function for ScanCLAM in the EOD context.
function ScanCLAM(...$args) {
global $transaction;
$skip = [];
if ($transaction["senderadress"]["domain"] != "example.com")
$skip += ["YARA.office_macro.UNOFFICIAL"];
$clam = [];
foreach (builtin ScanCLAM() as $v)
if (!in_array($v, $skip))
$clam[] = $v;
return $clam;
}
Comments
0 comments
Article is closed for comments.