Yara rule with uint32be not allowed by clamAV provided by cPanel

NetVicious

Member
Feb 4, 2013
17
0
51
cPanel Access Level
Reseller Owner
Hi!
I want to use this yara rule to disable the reception of office files with macros

Code:
rule Office_as_MHTML {

        meta:

                description = "Detects an Microsoft Office saved as a MHTML file (false positives are possible but rare; many matches on CVE-2012-0158)"

                license = "https://creativecommons.org/licenses/by-nc/4.0/"

                author = "Florian Roth"

                date = "2015-05-28"

                score = 40

                reference = "https://www.trustwave.com/Resources/SpiderLabs-Blog/Malicious-Macros-Evades-Detection-by-Using-Unusual-File-Format/"

                hash1 = "8391d6992bc037a891d2e91fd474b91bd821fe6cb9cfc62d1ee9a013b18eca80"

                hash2 = "1ff3573fe995f35e70597c75d163bdd9bed86e2238867b328ccca2a5906c4eef"

                hash3 = "d44a76120a505a9655f0224c6660932120ef2b72fee4642bab62ede136499590"

                hash4 = "5b8019d339907ab948a413d2be4bdb3e5fdabb320f5edc726dc60b4c70e74c84"

        strings:

                $s1 = "Content-Transfer-Encoding: base64" ascii fullword

                $s2 = "Content-Type: application/x-mso" ascii fullword


                $x1 = "QWN0aXZlTWltZQA" ascii   // Base64 encoded 'ActiveMime'

                $x2 = "0M8R4KGxGuE" ascii               // Base64 encoded office header D0CF11E0A1B11AE1..

        condition:

                uint32be(0) == 0x4d494d45 // "MIME" header

                and all of ($s*) and 1 of ($x*)

}
The problem it's the yara parser on the clamAV package provided by cPanel doesn't accepts the variable type uint32be

I use it in another machines running ubuntu and debian with previous versions of clamAv and it works perfectly. So I don't know if clamAV removed the support of that variable type or it's a problem with the compilation of yara into the clamAV package provided by cPanel.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,273
1,282
313
Houston
Hello,

You can use the version of ClamAV offered by ClamAV themselves rather than the cPanel version (cpanel-clamav) if you need to customize it. Otherwise, cPanel does already block dangerous attachments, you could strip these without running the scan if you were looking for the file extension specifically by adding it to the exim system filter. Instructions on how to do this can be found here: How to Customize the Exim System Filter File - cPanel Knowledge Base - cPanel Documentation