[clamav-users] Understanding OLE2BlockMacros

Bowie Bailey Bowie_Bailey at BUC.com
Fri Aug 26 09:04:04 EDT 2016


On 8/25/2016 7:06 PM, Alex wrote:
> Hi,
>
>>>> Try this:
>>>> 1) Enable OLE2BlockMacros and restart clamd
>>>> 2) Use clamdscan to test your sample message and note the results
>>>> 3) Disable OLE2BlockMacros and restart clamd
>>>> 4) Use clamdscan to test your sample message again and note these results
> Very constructive help, thank you. Here are the results with a file
> that has a macro virus:
>
> OLE2BlockMacros yes
> [root at juggernaut ~]# clamdscan -c /etc/clamd.d/amavisd.conf --fdpass
> /var/tmp/inv_5236420.doc
> /var/tmp/inv_5236420.doc: Heuristics.OLE2.ContainsMacros FOUND
>
>
>              ----------- SCAN SUMMARY -----------
> Infected files: 1
> Time: 0.028 sec (0 m 0 s)
>
> OLE2BlockMacros no
> [root at juggernaut ~]# clamdscan -c /etc/clamd.d/amavisd.conf --fdpass
> /var/tmp/inv_5236420.doc
> /var/tmp/inv_5236420.doc: Sanesecurity.Badmacro.Doc.valloc.UNOFFICIAL FOUND
>
> ----------- SCAN SUMMARY -----------
> Infected files: 1
> Time: 0.272 sec (0 m 0 s)
>
> This is with HeuristicScanPrecedence set to the default No, but it
> appears to take precedence anyway, as the scan with OLE2BlockMacros
> set to Yes only reports that macros were found, not that a virus was
> found.

I'm wondering if the unofficial signatures are being given a lower 
precedence than the official rules.  Possibly the 
HeuristicScanPrecedence setting is setting heuristics at a lower 
precedence than the official rules, but still higher than the unofficial 
ones.

Can anyone who knows more about the internals of ClamAV comment on this?

-- 
Bowie



More information about the clamav-users mailing list