[clamav-users] Understanding OLE2BlockMacros

Bowie Bailey Bowie_Bailey at BUC.com
Thu Aug 25 16:31:21 EDT 2016


On 8/25/2016 4:20 PM, Dennis Peterson wrote:
> On 8/25/16 1:10 PM, Bowie Bailey wrote:
>> On 8/25/2016 3:10 PM, Steve Basford wrote:
>>>> Try this:
>>>> 1) Enable OLE2BlockMacros and restart clamd
>>>> 2) Use clamdscan to test your sample message and note the results
>>>> 3) Disable OLE2BlockMacros and restart clamd
>>>> 4) Use clamdscan to test your sample message again and note these 
>>>> results
>>>>
>>>>
>>> Something else...
>>>
>>> In amavisd-new there are virus_name_to_spam_score_maps
>>>
>>> For example:
>>> http://sanesecurity.com/support/problems/
>>>
>>> If the setting to block macros is enable in ClamAV and is actually 
>>> hitting,
>>> it should hit with Heuristics.OLE2.ContainsMacros
>>>
>>> But.. I don't think amavisd-new has a virus_name_to_spam_score_maps for
>>> Heuristics.OLE2.ContainsMacros so, it might let the email through but
>>> just mark it, instead of blocking it?
>>>
>>> Eg...
>>>
>>> #     [ qr’^Heuristics\.OLE2\.ContainsMacros’
>>> => undef ],# keep as infected
>>>
>>> Does that change things?
>>
>> I think the issue is that he wants to block recognized viruses, but 
>> only mark heuristic matches.
>>
> That would be a scoring task in Amavisd.

Right, but the issue is that files that should have been blocked as 
viruses were instead marked and allowed through with heuristic matches.  
A previous poster may have hit on the right answer.  If he has enabled 
HeuristicScanPrecedence in clamd.conf, that would explain this behavior.

-- 
Bowie



More information about the clamav-users mailing list