[clamav-users] Encrypted Word doc/phishing attack

Reindl Harald h.reindl at thelounge.net
Wed Oct 5 14:10:12 EDT 2016

Am 05.10.2016 um 20:02 schrieb Alex:
>>> I'm using spamassassin on fedora with amavisd. Is there something that
>>> can be done to at least tag them in some way so the end-user knows
>>> it's a potential threat?
>> reject attachments with macros or add a clamd instance connected to the
>> clamav-sa-plugin with a high score as i told you after you asked the exactly
>> same on the SA mailing-list
>> [root at mail-gw:/etc/clamd.d]$ cat scan.conf | grep OLE2BlockMacros
>> OLE2BlockMacros no
>> [root at mail-gw:/etc/clamd.d]$ cat scan-sa.conf | grep OLE2BlockMacros
>> OLE2BlockMacros yes
> Reindl, I appreciate your input, but I can't just outright reject docs
> with macros. We're also talking about password-protected Word
> documents here, not macro documents

guess why i fixed the clamav-plugin for spamassassin and there are *two* 
instances like you can see above...

reject is above 8.0 and the rest is done by bayes to avoid FP and other 
rules to make sure it's crap

[root at mail-gw:/etc/mail/spamassassin]$ cat clamav.cf
ifplugin Mail::SpamAssassin::Plugin::ClamAV
  full      CLAMAV_JNK  eval:check_clamav('/run/clamd/clamd-sa.sock')
  describe  CLAMAV_JNK  ClamAV detected malware/phishing/junk
  priority  CLAMAV_JNK  800
  score     CLAMAV_JNK  6.0

  full      CLAMAV_MLW  eval:check_clamav('/run/clamd/clamd.sock')
  describe  CLAMAV_MLW  ClamAV detected malware/phishing
  priority  CLAMAV_MLW  800
  score     CLAMAV_MLW  9.9

More information about the clamav-users mailing list