[clamav-users] Understanding OLE2BlockMacros

Reindl Harald h.reindl at thelounge.net
Wed Aug 24 12:20:49 EDT 2016


Am 24.08.2016 um 18:12 schrieb Alex:
>>> I'm using clamav on fedora23 with amavisd-new and would like to tag
>>> each email that contains macros with Heuristics.OLE2.ContainsMacros.
>>> I've enabled OLE2BlockMacros, but it appears it actually lets them
>>> through instead of blocking them outright when this setting is made.
>>>
>>> What is the proper configuration of clamav to tag all emails with
>>> macro attachments with Heuristics.OLE2.ContainsMacros as well as block
>>> those emails with attachments that contain macro viruses?
>>
>> clamav don't block or tag anything - that's better suited as a question at
>> the amavisd-new list, however normally you raise the score to a level where
>> amavisd-new or spamassassin starts to tag
>
> I'm using clamav with amavis to block them outright.
>
> It appears that using OLE2BlockMacros causes attachments with macros,
> viruses or not, to just be marked by amavis with the
> Heuristics.OLE2.ContainsMacros. However, when it's set it no longer
> blocks them but forwards them on.
>
> Is this the intended behavior?

"Heuristics.OLE2.ContainsMacros" does excatly what th eoption says - it 
hits on attachments which contain *any* macro

> Is there no way to configure it to mark emails with macro attachments
> and block the ones with macro attachments with viruses?

known viruses are hit by signatures and so on - the whole purpose of 
Heuristics is to hit one *unknown* incarnations

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20160824/0b7f4b0b/attachment.sig>


More information about the clamav-users mailing list