[clamav-users] Encrypted Word doc/phishing attack
Reindl Harald
h.reindl at thelounge.net
Wed Oct 5 18:10:12 UTC 2016
Am 05.10.2016 um 20:02 schrieb Alex:
>>> I'm using spamassassin on fedora with amavisd. Is there something that
>>> can be done to at least tag them in some way so the end-user knows
>>> it's a potential threat?
>>
>> reject attachments with macros or add a clamd instance connected to the
>> clamav-sa-plugin with a high score as i told you after you asked the exactly
>> same on the SA mailing-list
>>
>> [root at mail-gw:/etc/clamd.d]$ cat scan.conf | grep OLE2BlockMacros
>> OLE2BlockMacros no
>>
>> [root at mail-gw:/etc/clamd.d]$ cat scan-sa.conf | grep OLE2BlockMacros
>> OLE2BlockMacros yes
>
> Reindl, I appreciate your input, but I can't just outright reject docs
> with macros. We're also talking about password-protected Word
> documents here, not macro documents
guess why i fixed the clamav-plugin for spamassassin and there are *two*
instances like you can see above...
reject is above 8.0 and the rest is done by bayes to avoid FP and other
rules to make sure it's crap
[root at mail-gw:/etc/mail/spamassassin]$ cat clamav.cf
ifplugin Mail::SpamAssassin::Plugin::ClamAV
full CLAMAV_JNK eval:check_clamav('/run/clamd/clamd-sa.sock')
describe CLAMAV_JNK ClamAV detected malware/phishing/junk
priority CLAMAV_JNK 800
score CLAMAV_JNK 6.0
full CLAMAV_MLW eval:check_clamav('/run/clamd/clamd.sock')
describe CLAMAV_MLW ClamAV detected malware/phishing
priority CLAMAV_MLW 800
score CLAMAV_MLW 9.9
endif
More information about the clamav-users
mailing list