[clamav-users] Understanding OLE2BlockMacros
Bowie Bailey
Bowie_Bailey at BUC.com
Thu Aug 25 20:31:21 UTC 2016
On 8/25/2016 4:20 PM, Dennis Peterson wrote:
> On 8/25/16 1:10 PM, Bowie Bailey wrote:
>> On 8/25/2016 3:10 PM, Steve Basford wrote:
>>>> Try this:
>>>> 1) Enable OLE2BlockMacros and restart clamd
>>>> 2) Use clamdscan to test your sample message and note the results
>>>> 3) Disable OLE2BlockMacros and restart clamd
>>>> 4) Use clamdscan to test your sample message again and note these
>>>> results
>>>>
>>>>
>>> Something else...
>>>
>>> In amavisd-new there are virus_name_to_spam_score_maps
>>>
>>> For example:
>>> http://sanesecurity.com/support/problems/
>>>
>>> If the setting to block macros is enable in ClamAV and is actually
>>> hitting,
>>> it should hit with Heuristics.OLE2.ContainsMacros
>>>
>>> But.. I don't think amavisd-new has a virus_name_to_spam_score_maps for
>>> Heuristics.OLE2.ContainsMacros so, it might let the email through but
>>> just mark it, instead of blocking it?
>>>
>>> Eg...
>>>
>>> # [ qr’^Heuristics\.OLE2\.ContainsMacros’
>>> => undef ],# keep as infected
>>>
>>> Does that change things?
>>
>> I think the issue is that he wants to block recognized viruses, but
>> only mark heuristic matches.
>>
> That would be a scoring task in Amavisd.
Right, but the issue is that files that should have been blocked as
viruses were instead marked and allowed through with heuristic matches.
A previous poster may have hit on the right answer. If he has enabled
HeuristicScanPrecedence in clamd.conf, that would explain this behavior.
--
Bowie
More information about the clamav-users
mailing list