[clamav-users] Understanding OLE2BlockMacros

Dennis Peterson dennispe at inetnw.com
Wed Aug 24 16:41:39 EDT 2016


ClamAV has no part in tagging, forwarding, or deleting. It simply tells the 
calling process what the result of the scan was. It is left to the calling 
process to deal with it per local policy.

dp

On 8/24/16 12:37 PM, Alex wrote:
> Hi,
>
>>> It appears that using OLE2BlockMacros causes attachments with macros,
>>> viruses or not, to just be marked by amavis with the
>>> Heuristics.OLE2.ContainsMacros. However, when it's set it no longer
>>> blocks them but forwards them on.
>>>
>>> Is this the intended behavior?
>> "Heuristics.OLE2.ContainsMacros" does excatly what th eoption says - it hits
>> on attachments which contain *any* macro
>>
>>> Is there no way to configure it to mark emails with macro attachments
>>> and block the ones with macro attachments with viruses?
>> known viruses are hit by signatures and so on - the whole purpose of
>> Heuristics is to hit one *unknown* incarnations
> I don't believe that's true. When this option is set to Yes, the
> emails are tagged, but even emails with macro virus attachments are
> forwarded on, not blocked. For example, yesterday there were hundreds
> of the Sanesecurity.Badmacro.Doc.valloc virus received. The system
> with OLE2BlockMacros enabled forwarded these on to the user, bypassing
> the scanning entirely. The systems with OLE2BlockMacros disabled
> caught every one of the valloc viruses and prevented them from being
> forwarded on to the users.
>
> I have the following setting in amavis:
>
> @virus_name_to_spam_score_maps =
>    (new_RE(  # the order matters, first match wins
>      [ qr'^Heuristics.OLE2.ContainsMacros'            => 1.1 ],
>    ));
>
> However, I expect that this is for emails which have macro
> attachments, and like you say, unknown whether they are viruses. I
> would never expect an email with a virus attachment to be forwarded on
> unless I'm explicitly requesting that.
>
> Please don't send me to the amavis list - there must be someone who
> uses both clamav and amavis that understands what's happening here.
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml





More information about the clamav-users mailing list