Sunday, 29 November 2015

Blocking doc malware

In this blog, I've been discussing the fact that of the 55 scanners examined (which is pretty much all available products), they all fail to detect malware in emails.

Yet all of them come with all sorts of claims, recommendations and certifications. How can this be? And what can be done?

The claims are similar to "detect 99.9% of in-the-wild malware". The problem is, that's not tackling the actual problem. The actual problem, is the malware emailed to me (and, most other people) every day, and the scanners don't detect anything bad in those. I dare say that the testers have 100,000 files collected over the years that these products do flag as malware. But that's not the problem.  I'm getting a hundred or more emails per week with malware attachments, and if I relied on scanners to keep me safe, I'd be getting hit dozens of times per week.

So what can be done?

In other posts, I've explained what can be done. But talk, as they say, is cheap. What counts is action.

So I've taken action. I have, running on a Raspberry Pi, this page.

To use it, you click on the "Browse" button, choose the file that you want cleaned, then
click on "send the file".

The file uploads to my server, and then it converts the file to A) a pdf file, B) an rtf file and C) a text file. You can download any or all three of those, and read them. The pdf, rtf and text file format, does not support the existence of macros. So any macros that are in the doc file, whether malicious or benign, are not present in the pdf, rtf or txt files.

This doesn't tell you if there was anything malicious in the doc file. It just creates files that don't include macros.

You still have the original doc file, of course, and you'll probably want to delete it.

This service is free.

I'll be expanding it, if there's demand, to cover xls (Excel spreadsheet) files and possibly others. Another possibility would be to convert the file into a doc file but stripped of any macros.

Even better, would be to install something on your computer that did this automatically, but I'm not going to do that; I'll leave that to the 55 antivirus vendors that are capable of writing this software, but, as far as I can tell, have not.

Mostly, this is a demonstration of what can be done. Ask your antivirus vendor why they haven't.


  1. I'd rather you didn't provide the PDF option. It implies that PDF files are safe. They aren't. Your converted DOC file will be; but the PDF file format per se is open to numerous exploits.

    1. I agree, PDF files can be unsafe. But as you point out, the ones that I create from conversion, are safe. The same would be true of a DOC file that I converted.

      But I didn't put this up in the expectation that millions of people would use it. I put it up to show that it's pretty easy to make doc files safe, and to try to encourage antivirus product vendors to do this.

  2. Wow, Doc, that's fantastic, you have a natural affinity with virus', Do you think it may be an idea for you to see if you could make a business out of it, you never know you may be able to make a living out of it :)

    ps If you do, and it is a success can I have a finders fee please ?

    1. What size finders fee are you looking for?

  3. Actually, Doc, you failed to mention the release of the Pi Zero this weekend!! Now that would reduce your costs, But i'm sure it won't be long before you get one or 70 odd!!

  4. I did see about the pi zero. The big drawback is that it doesn't have an ethernet port, so I'm staying with the Pi 2.

  5. I told you that I knew someone who could write this!! :-)

  6. I told you that I knew someone who could write this!! :-)

  7. It really wasn't difficult to do. Which of the antivirus companies have done this?