@ -5,7 +5,7 @@ OLETOOLS_MACRO_MRAPTOR {
score = 20.0;
}
OLETOOLS_MACRO_SUSPICIOUS {
expression = "OLETOOLS_SUSPICIOUS | OLETOOLS_VBASTOMP | OLETOOLS_AUTOEXEC";
expression = "OLETOOLS_SUSPICIOUS | OLETOOLS_VBASTOMP | OLETOOLS_A";
message = "Rejected (malicious macro)";
policy = "leave";
@ -7,4 +7,32 @@ symbols = {
description = "OLETOOLS found a Macro";
one_shot = true;
},
"OLETOOLS_MACRO_FOUND" {
weight = 0.0;
"OLETOOLS_AUTOEXEC" {
"OLETOOLS_SUSPICIOUS" {
"OLETOOLS_VBASTOMP" {
"OLETOOLS_A" {
"OLETOOLS_W" {
"OLETOOLS_X" {