[clamav-users] Understanding OLE2BlockMacros

Alex mysqlstudent at gmail.com
Wed Aug 24 15:37:56 EDT 2016


>> It appears that using OLE2BlockMacros causes attachments with macros,
>> viruses or not, to just be marked by amavis with the
>> Heuristics.OLE2.ContainsMacros. However, when it's set it no longer
>> blocks them but forwards them on.
>> Is this the intended behavior?
> "Heuristics.OLE2.ContainsMacros" does excatly what th eoption says - it hits
> on attachments which contain *any* macro
>> Is there no way to configure it to mark emails with macro attachments
>> and block the ones with macro attachments with viruses?
> known viruses are hit by signatures and so on - the whole purpose of
> Heuristics is to hit one *unknown* incarnations

I don't believe that's true. When this option is set to Yes, the
emails are tagged, but even emails with macro virus attachments are
forwarded on, not blocked. For example, yesterday there were hundreds
of the Sanesecurity.Badmacro.Doc.valloc virus received. The system
with OLE2BlockMacros enabled forwarded these on to the user, bypassing
the scanning entirely. The systems with OLE2BlockMacros disabled
caught every one of the valloc viruses and prevented them from being
forwarded on to the users.

I have the following setting in amavis:

@virus_name_to_spam_score_maps =
  (new_RE(  # the order matters, first match wins
    [ qr'^Heuristics.OLE2.ContainsMacros'            => 1.1 ],

However, I expect that this is for emails which have macro
attachments, and like you say, unknown whether they are viruses. I
would never expect an email with a virus attachment to be forwarded on
unless I'm explicitly requesting that.

Please don't send me to the amavis list - there must be someone who
uses both clamav and amavis that understands what's happening here.

More information about the clamav-users mailing list