[clamav-users] Encrypted Word doc/phishing attack

Alex mysqlstudent at gmail.com
Wed Oct 5 14:37:18 EDT 2016


Hi,

>>> [root at mail-gw:/etc/clamd.d]$ cat scan.conf | grep OLE2BlockMacros
>>> OLE2BlockMacros no
>>>
>>> [root at mail-gw:/etc/clamd.d]$ cat scan-sa.conf | grep OLE2BlockMacros
>>> OLE2BlockMacros yes
>>
>>
>> Reindl, I appreciate your input, but I can't just outright reject docs
>> with macros. We're also talking about password-protected Word
>> documents here, not macro documents
>
> guess why i fixed the clamav-plugin for spamassassin and there are *two*
> instances like you can see above...
>
> reject is above 8.0 and the rest is done by bayes to avoid FP and other
> rules to make sure it's crap

Can you explain how you configured systemd to start two instances of
the same clamd binary using different config files?

Thanks,
Alex

>
> [root at mail-gw:/etc/mail/spamassassin]$ cat clamav.cf
> ifplugin Mail::SpamAssassin::Plugin::ClamAV
>  full      CLAMAV_JNK  eval:check_clamav('/run/clamd/clamd-sa.sock')
>  describe  CLAMAV_JNK  ClamAV detected malware/phishing/junk
>  priority  CLAMAV_JNK  800
>  score     CLAMAV_JNK  6.0
>
>  full      CLAMAV_MLW  eval:check_clamav('/run/clamd/clamd.sock')
>  describe  CLAMAV_MLW  ClamAV detected malware/phishing
>  priority  CLAMAV_MLW  800
>  score     CLAMAV_MLW  9.9
> endif
>
>
>
>
> _______________________________________________
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml



More information about the clamav-users mailing list