The developers behind Snort, the open source intrusion detection system, are pushing ahead with a project to develop a system for detecting malformed documents in a bid to provide early warnings about targeted attacks. Razorback is designed to complement traditional anti-virus products by providing a warning about maliciously …
maliciously constructed files
> Razorback is designed to complement traditional anti-virus products by providing a warning about maliciously constructed files that may take advantage of zero-day vulnerabilities to compromise targeted machines ..
Instead of detecting malformed documents why not detect all types of Windows Executables and disable them before they get to the desktop. For instance if an attachment contains a word document with macros, disable the autorun function in the document.
make this available as a samba plugin.
then have home and work shares on a samba based server.
Infected file arrives and is quarrantined on first storage.
Regarding modifying files this can get messy - I have had compressed data files quarrantined because the octects matched some signature file.
The problem is that windows AV tends to assume all files are for wndows apps which is a big no-no.