[clamav-users] Encrypted Word doc/phishing attack

Reindl Harald h.reindl at thelounge.net
Wed Oct 5 08:33:58 EDT 2016



Am 05.10.2016 um 14:21 schrieb Alex:
> I'm starting to receive emails like this:
>
> http://pastebin.com/HpvEcT9K
>
> They're not being caught by clamav or other virus filters. Is it even
> possible to catch encrypted Word docs with a virus scanner?
>
> I'm using spamassassin on fedora with amavisd. Is there something that
> can be done to at least tag them in some way so the end-user knows
> it's a potential threat?

reject attachments with macros or add a clamd instance connected to the 
clamav-sa-plugin with a high score as i told you after you asked the 
exactly same on the SA mailing-list

[root at mail-gw:/etc/clamd.d]$ cat scan.conf | grep OLE2BlockMacros
OLE2BlockMacros no

[root at mail-gw:/etc/clamd.d]$ cat scan-sa.conf | grep OLE2BlockMacros
OLE2BlockMacros yes


Content analysis details:   (8.2 points, 5.5 required)

  pts rule name              description
---- ---------------------- 
--------------------------------------------------
-0.3 CUST_DNSWL_10_ORG_M    RBL: list.dnswl.org (Medium Trust)
                             [103.10.4.13 listed in list.dnswl.org]
  0.0 AXB_X_FF_SEZ_S         Forefront sez this is spam
-0.1 CUST_DNSWL_2_SENDERSC_L RBL: score.senderscore.com (Low Trust)
                             [103.10.4.13 listed in score.senderscore.com]
  1.5 BAYES_50               BODY: Bayes spam probability is 40 to 60%
                             [score: 0.5000]
-0.1 CUST_DNSWL_3_JEF_L     RBL: hostkarma.junkemailfilter.com (Low Trust)
                          [103.10.4.13 listed in 
hostkarma.junkemailfilter.com]
  0.0 T_OBFU_ATTACH_MISSP    No description available.
  0.7 LOTS_OF_MONEY          Huge... sums of money
  6.0 CLAMAV_JNK             ClamAV detected malware/phishing/junk
 
[Heuristics.OLE2.ContainsMacros(fb03985a8486d4f897e28804b5a56f43:191355)]
  0.5 BOGOFILTER_PROB_SPAM   BOGOFILTER: No description available.


More information about the clamav-users mailing list