[clamav-users] Understanding OLE2BlockMacros
Reindl Harald
h.reindl at thelounge.net
Thu Aug 25 08:29:01 UTC 2016
Am 24.08.2016 um 21:37 schrieb Alex:
>>> It appears that using OLE2BlockMacros causes attachments with macros,
>>> viruses or not, to just be marked by amavis with the
>>> Heuristics.OLE2.ContainsMacros. However, when it's set it no longer
>>> blocks them but forwards them on.
>>>
>>> Is this the intended behavior?
>>
>> "Heuristics.OLE2.ContainsMacros" does excatly what th eoption says - it hits
>> on attachments which contain *any* macro
>>
>>> Is there no way to configure it to mark emails with macro attachments
>>> and block the ones with macro attachments with viruses?
>>
>> known viruses are hit by signatures and so on - the whole purpose of
>> Heuristics is to hit one *unknown* incarnations
>
> I don't believe that's true
we are far away from believing here
> When this option is set to Yes, the
> emails are tagged, but even emails with macro virus attachments are
> forwarded on, not blocked
problem is that you don't understand your mailsystem, clamd itself only
hives back with signatures are hit and then the glue (amavis oder
clamav-milter or something like that) makes decisions what happens with
the message
this is NOT a clamav topic
again: this is a amavis topic
> For example, yesterday there were hundreds
> of the Sanesecurity.Badmacro.Doc.valloc virus received. The system
> with OLE2BlockMacros enabled forwarded these on to the user,
then fix your system which is *using* clamav
on my spamassassin setup they hit clamd (one of 2 instances with
different signatures and settings) and hence get 6.0 points - period
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20160825/83b760f1/attachment.sig>
More information about the clamav-users
mailing list