[clamav-users] Understanding OLE2BlockMacros

Dennis Peterson dennispe at inetnw.com
Thu Aug 25 16:20:56 EDT 2016


On 8/25/16 1:10 PM, Bowie Bailey wrote:
> On 8/25/2016 3:10 PM, Steve Basford wrote:
>>> Try this:
>>> 1) Enable OLE2BlockMacros and restart clamd
>>> 2) Use clamdscan to test your sample message and note the results
>>> 3) Disable OLE2BlockMacros and restart clamd
>>> 4) Use clamdscan to test your sample message again and note these results
>>>
>>>
>> Something else...
>>
>> In amavisd-new there are virus_name_to_spam_score_maps
>>
>> For example:
>> http://sanesecurity.com/support/problems/
>>
>> If the setting to block macros is enable in ClamAV and is actually hitting,
>> it should hit with Heuristics.OLE2.ContainsMacros
>>
>> But.. I don't think amavisd-new has a virus_name_to_spam_score_maps for
>> Heuristics.OLE2.ContainsMacros so, it might let the email through but
>> just mark it, instead of blocking it?
>>
>> Eg...
>>
>> #     [ qr’^Heuristics\.OLE2\.ContainsMacros’
>> => undef ],# keep as infected
>>
>> Does that change things?
>
> I think the issue is that he wants to block recognized viruses, but only mark 
> heuristic matches.
>
That would be a scoring task in Amavisd.


dp




More information about the clamav-users mailing list