[clamav-users] Understanding OLE2BlockMacros

Alex mysqlstudent at gmail.com
Thu Aug 25 19:06:59 EDT 2016


Hi,

>>> Try this:
>>> 1) Enable OLE2BlockMacros and restart clamd
>>> 2) Use clamdscan to test your sample message and note the results
>>> 3) Disable OLE2BlockMacros and restart clamd
>>> 4) Use clamdscan to test your sample message again and note these results

Very constructive help, thank you. Here are the results with a file
that has a macro virus:

OLE2BlockMacros yes
[root at juggernaut ~]# clamdscan -c /etc/clamd.d/amavisd.conf --fdpass
/var/tmp/inv_5236420.doc
/var/tmp/inv_5236420.doc: Heuristics.OLE2.ContainsMacros FOUND


            ----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.028 sec (0 m 0 s)

OLE2BlockMacros no
[root at juggernaut ~]# clamdscan -c /etc/clamd.d/amavisd.conf --fdpass
/var/tmp/inv_5236420.doc
/var/tmp/inv_5236420.doc: Sanesecurity.Badmacro.Doc.valloc.UNOFFICIAL FOUND

----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.272 sec (0 m 0 s)

This is with HeuristicScanPrecedence set to the default No, but it
appears to take precedence anyway, as the scan with OLE2BlockMacros
set to Yes only reports that macros were found, not that a virus was
found.

The motivation for me wanting to do this is because of the large
number of macro viruses that are received before patterns are
available to tag them as viruses, so they are getting through. I'd
like this information to be available from within
amavisd/spamassassin, so I can add points, and otherwise manipulate
the file to make a decision on whether to forward it.

>> For example:
>> http://sanesecurity.com/support/problems/
>>
>> If the setting to block macros is enable in ClamAV and is actually
>> hitting,
>> it should hit with Heuristics.OLE2.ContainsMacros
>>
>> But.. I don't think amavisd-new has a virus_name_to_spam_score_maps for
>> Heuristics.OLE2.ContainsMacros so, it might let the email through but
>> just mark it, instead of blocking it?
>>
>> Eg...
>>
>> #     [ qr’^Heuristics\.OLE2\.ContainsMacros’
>> => undef ],# keep as infected
>>
>> Does that change things?

No, it doesn't change things. I tried commenting it all out then
redoing the OLE2BlockMacros tests. I have previously added the
following to my amavisd.conf:

@virus_name_to_spam_score_maps =
  (new_RE(  # the order matters, first match wins
    [ qr'^Heuristics.OLE2.ContainsMacros'            => 0.1 ],
  ));

I've also created several spamassassin rules that work off of that,
but in conjunction with the clamav settings, it was causing even the
attachments with macro viruses to be forwarded on.

Thanks,
Alex



More information about the clamav-users mailing list