[clamav-users] Understanding OLE2BlockMacros

David Shrimpton d.shrimpton at its.uq.edu.au
Sat Aug 27 07:20:23 EDT 2016

HeuristicScanPrecedence No is broken with OLE2BlockMacros Yes.
It only applies to signatures being run against uncompressed macros.

If there is a hit on one of those signatures , that signature hit is returned
and not Heuristics.OLE2.ContainsMacros.
Otherwise  Heuristics.OLE2.ContainsMacros is returned and no other signatures
are tried.  This disables all the official and unofficial signatures
that are not written again uncompressed macros , which is effectively all
of them.   There are few or no official signatures for  macro viruses.
The official signatures are of little value in protecting against macro
viruses.  Commercial antivirus products are also of little value particularly
against 'zero day' exploits.   Submit every new macro virus file you identify
to one of the web based A/V scanning services that use multiple vendors
products , if you do not believe this.  One well known vendor
sometimes responds to a submissions of macro virus docs advising they
are only interested in the downloaded malware not the doc that downloads it.

Re unofficial sigs , there are few or no unofficial signatures written against
uncompressed macros.  These signatures are not targeting the code 
and obfuscations being used by virus writers.  You may have more success
writing your own signatures based on macro code seen in viruses.
As the code is often re-used , signatures written against macro code
may provide better 'zero day' protection than other signatures eg
unofficial or official ones. 

I think the main usefulness of clamav is not as an off
the shelf  A/V product whether supplemented by
unofficial signature or not , but as a tool for implementing 
your own A/V ideas.  If you implement your own signatures you will also
have control over the aggressiveness of those signatures with respect to
false positive, which you will not have with official or unofficial signatures.
Overly aggressive signatures  might however 
make sharing signatures a dis-service.

It is worthwhile exercise to decode some examples from any 
unofficial signature database before using it and form your
own opinion about the likelyhood of false positive.

As the unofficial and official signatures are written after new viruses arrive
they are generally too late to be of use in 'zero day' attacks.

If you don't implement your own signatures against macro code, 
setting OLE2BlockMacros Yes effectively causes Heuristics.OLE2.ContainsMacros
to be returned and disables all official and unofficial signatures.
If OLE2BlockMacros is Yes then the only option is to treat every
file with macros as a virus and eg discard if you want to block the files
that do contain a macro virus.

It might be argued that files with macros should be treated similarly
to any other executeables shipped in email from outside your
organization and discarded if that is your policy.

Note , clamav returns the first signature hit unless -z option is used.
The OLE2 signatures are run before any other signatures so
OLE2BlockMacros Yes , causes Heuristics.OLE2.ContainsMacros to be returned
first and all other signatures that are not against uncompressed macros
are ignored.  You only get one signature back and that is the first one
hit, which may be a 'soft' signature ie one you mightn't discard
an email on, such as Heuristics.OLE2.ContainsMacros,
even though 'hard' signatures official or unofficial might also have hit
if they had been run later .

One useful strategy may be to combine the Heuristics.OLE2.ContainsMacros
 with other information from an email and discard files containing macros
that are probably viruses eg invoices and resumes.  

The Heuristics.OLE2.ContainsMacros hits are arguably more useful in
identifying potential macro viruses than is turning OLE2BlockMacros off
and using the unofficial and official signatures.

Clamav -z option is also broken for OLE2BlockMacros Yes and
HeuristicScanPrecedence No.   Only signatures matching uncompressed macros
and Heuristics.OLE2.ContainsMacros are returned.   All other official
and unofficial signatures are ignored so not all the signatures that would
match are returned.  This is a bug/limitation.  Logically 
HeuristicScanPrecedence should be ignored with -z.

If clamav -z returned all the matches you could implement 
a "quality of service" type scheme
and parse all the returned signature hits including 
Heuristics.OLE2.ContainsMacros and prioritize the results 
eg discard if a 'real' virus
or just add a warning if only Heuristics.OLE2.ContainsMacros
was returned.  Or you could treat unofficial hits with more caution
eg add warning only and official hits more aggressively eg discard.
But -z is broken with OLE2 ,so you must decide to use OLE2BlockMacros
and not official/unofficial signatures or not use OLE2BlockMacros.

David Shrimpton

More information about the clamav-users mailing list