[clamav-users] Understanding OLE2BlockMacros
Bowie_Bailey at BUC.com
Thu Aug 25 16:31:21 EDT 2016
On 8/25/2016 4:20 PM, Dennis Peterson wrote:
> On 8/25/16 1:10 PM, Bowie Bailey wrote:
>> On 8/25/2016 3:10 PM, Steve Basford wrote:
>>>> Try this:
>>>> 1) Enable OLE2BlockMacros and restart clamd
>>>> 2) Use clamdscan to test your sample message and note the results
>>>> 3) Disable OLE2BlockMacros and restart clamd
>>>> 4) Use clamdscan to test your sample message again and note these
>>> Something else...
>>> In amavisd-new there are virus_name_to_spam_score_maps
>>> For example:
>>> If the setting to block macros is enable in ClamAV and is actually
>>> it should hit with Heuristics.OLE2.ContainsMacros
>>> But.. I don't think amavisd-new has a virus_name_to_spam_score_maps for
>>> Heuristics.OLE2.ContainsMacros so, it might let the email through but
>>> just mark it, instead of blocking it?
>>> # [ qr’^Heuristics\.OLE2\.ContainsMacros’
>>> => undef ],# keep as infected
>>> Does that change things?
>> I think the issue is that he wants to block recognized viruses, but
>> only mark heuristic matches.
> That would be a scoring task in Amavisd.
Right, but the issue is that files that should have been blocked as
viruses were instead marked and allowed through with heuristic matches.
A previous poster may have hit on the right answer. If he has enabled
HeuristicScanPrecedence in clamd.conf, that would explain this behavior.
More information about the clamav-users