[clamav-users] Encrypted Word doc/phishing attack

Alex mysqlstudent at gmail.com
Wed Oct 5 14:02:56 EDT 2016


Hi,

>> I'm using spamassassin on fedora with amavisd. Is there something that
>> can be done to at least tag them in some way so the end-user knows
>> it's a potential threat?
>
> reject attachments with macros or add a clamd instance connected to the
> clamav-sa-plugin with a high score as i told you after you asked the exactly
> same on the SA mailing-list
>
> [root at mail-gw:/etc/clamd.d]$ cat scan.conf | grep OLE2BlockMacros
> OLE2BlockMacros no
>
> [root at mail-gw:/etc/clamd.d]$ cat scan-sa.conf | grep OLE2BlockMacros
> OLE2BlockMacros yes

Reindl, I appreciate your input, but I can't just outright reject docs
with macros. We're also talking about password-protected Word
documents here, not macro documents.

However, it would be interesting to set up another instance of clamav
in amavisd that could be used by spamassassin to indicate the
attachment has a macro, then use meta rules to perhaps add a few
points based on other characteristics.

I also believe the OLE2BlockMacros/HeuristicScanPrecedence settings on
clamav are confusing and otherwise broken. Are you aware of these
issues, as they were outlined by David Shrimpton some time ago?

I currently have HeuristicScanPrecedence and OLE2BlockMacros set to
the default no.

I'd just like the ability to classify files with Word macro viruses as
such, while also marking non-virus macro attachments as just having
macros, so I can build meta rules as I described above.

Is that something that can be done? Ideas for how to actually implement it?

Thanks,
Alex



More information about the clamav-users mailing list