[clamav-users] CryLocker and Cryptolocker

Alex mysqlstudent at gmail.com
Wed Sep 14 11:47:50 EDT 2016


>> What's being done about blocking attacks from the new crylocker and
>> the various types of cryptolocker?

> all that crap needs to make it somehow to the vicitims machine
> http://sanesecurity.com/foxhole-databases/

Yes, I'm using all the third-party sigs, including sanesecurity, but
they are still getting through.

I was also curious about the specific signatures that exist to catch
these, so I can watch for them in my logs.

> use all of them and score any attachment with macros high combined with
> bayes training if you can't reject it at all with a milter instance
> [root at mail-gw:/etc/clamd.d]$ cat scan.conf | grep -i ole
> ScanOLE2 yes
> OLE2BlockMacros no
> [root at mail-gw:/etc/clamd.d]$ cat scan-sa.conf | grep -i ole
> ScanOLE2 yes
> OLE2BlockMacros yes

The problem with setting OLE2BlockMacros to yes is that if you don't
implement your own signatures against macro code, setting
OLE2BlockMacros Yes effectively causes Heuristics.OLE2.ContainsMacros
to be returned and disables all official and unofficial signatures.
If OLE2BlockMacros is Yes then the only option is to treat every file
with macros as a virus and eg discard if you want to block the files
that do contain a macro virus, as outlined by David Shrimpton on this
list a few weeks ago.

Unless that was your intent? Are you disabling the blocking of these
viruses by scoring emails with macro attachments so high that they're
quarantined? This doesn't appear to be what you're explaining,
however, because you're advocating sanesecurity.

Does anyone think it's reasonable/acceptable to block all macros in
any sizable organization?

This is an ongoing issue for us, while other systems with F-Secure
appear to be blocking them all.

*disclaimer* I know clamav isn't responsible for blocking, only marking.

More information about the clamav-users mailing list