[clamav-users] Understanding OLE2BlockMacros

Steve Basford steveb_clamav at sanesecurity.com
Thu Aug 25 15:10:51 EDT 2016


>
> Try this:
> 1) Enable OLE2BlockMacros and restart clamd
> 2) Use clamdscan to test your sample message and note the results
> 3) Disable OLE2BlockMacros and restart clamd
> 4) Use clamdscan to test your sample message again and note these results
>
>
Something else...

In amavisd-new there are virus_name_to_spam_score_maps

For example:
http://sanesecurity.com/support/problems/

If the setting to block macros is enable in ClamAV and is actually hitting,
it should hit with Heuristics.OLE2.ContainsMacros

But.. I don't think amavisd-new has a virus_name_to_spam_score_maps for
Heuristics.OLE2.ContainsMacros so, it might let the email through but
just mark it, instead of blocking it?

Eg...

#     [ qr’^Heuristics\.OLE2\.ContainsMacros’                           
=> undef ],# keep as infected

Does that change things?

Cheers,

Steve
Web : sanesecurity.com
Twitter: @sanesecurity




More information about the clamav-users mailing list