[clamav-users] Understanding OLE2BlockMacros

Reindl Harald h.reindl at thelounge.net
Thu Aug 25 04:29:01 EDT 2016



Am 24.08.2016 um 21:37 schrieb Alex:
>>> It appears that using OLE2BlockMacros causes attachments with macros,
>>> viruses or not, to just be marked by amavis with the
>>> Heuristics.OLE2.ContainsMacros. However, when it's set it no longer
>>> blocks them but forwards them on.
>>>
>>> Is this the intended behavior?
>>
>> "Heuristics.OLE2.ContainsMacros" does excatly what th eoption says - it hits
>> on attachments which contain *any* macro
>>
>>> Is there no way to configure it to mark emails with macro attachments
>>> and block the ones with macro attachments with viruses?
>>
>> known viruses are hit by signatures and so on - the whole purpose of
>> Heuristics is to hit one *unknown* incarnations
>
> I don't believe that's true

we are far away from believing here

> When this option is set to Yes, the
> emails are tagged, but even emails with macro virus attachments are
> forwarded on, not blocked

problem is that you don't understand your mailsystem, clamd itself only 
hives back with signatures are hit and then the glue (amavis oder 
clamav-milter or something like that) makes decisions what happens with 
the message

this is NOT a clamav topic
again: this is a amavis topic

> For example, yesterday there were hundreds
> of the Sanesecurity.Badmacro.Doc.valloc virus received. The system
> with OLE2BlockMacros enabled forwarded these on to the user,

then fix your system which is *using* clamav

on my spamassassin setup they hit clamd (one of 2 instances with 
different signatures and settings) and hence get 6.0 points - period

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.clamav.net/pipermail/clamav-users/attachments/20160825/83b760f1/attachment.sig>


More information about the clamav-users mailing list