[clamav-users] Understanding OLE2BlockMacros

Bowie Bailey Bowie_Bailey at BUC.com
Thu Aug 25 16:10:19 EDT 2016


On 8/25/2016 3:10 PM, Steve Basford wrote:
>> Try this:
>> 1) Enable OLE2BlockMacros and restart clamd
>> 2) Use clamdscan to test your sample message and note the results
>> 3) Disable OLE2BlockMacros and restart clamd
>> 4) Use clamdscan to test your sample message again and note these results
>>
>>
> Something else...
>
> In amavisd-new there are virus_name_to_spam_score_maps
>
> For example:
> http://sanesecurity.com/support/problems/
>
> If the setting to block macros is enable in ClamAV and is actually hitting,
> it should hit with Heuristics.OLE2.ContainsMacros
>
> But.. I don't think amavisd-new has a virus_name_to_spam_score_maps for
> Heuristics.OLE2.ContainsMacros so, it might let the email through but
> just mark it, instead of blocking it?
>
> Eg...
>
> #     [ qr’^Heuristics\.OLE2\.ContainsMacros’
> => undef ],# keep as infected
>
> Does that change things?

I think the issue is that he wants to block recognized viruses, but only 
mark heuristic matches.

-- 
Bowie



More information about the clamav-users mailing list