[clamav-users] CryLocker and Cryptolocker

Reindl Harald h.reindl at thelounge.net
Thu Sep 15 04:14:21 EDT 2016



Am 15.09.2016 um 10:12 schrieb Matus UHLAR - fantomas:
>> Am 14.09.2016 um 17:47 schrieb Alex:
>>> The problem with setting OLE2BlockMacros to yes is that if you don't
>>> implement your own signatures against macro code, setting
>>> OLE2BlockMacros Yes effectively causes Heuristics.OLE2.ContainsMacros
>>> to be returned and disables all official and unofficial signatures.
>>> If OLE2BlockMacros is Yes then the only option is to treat every file
>>> with macros as a virus and eg discard if you want to block the files
>>> that do contain a macro virus, as outlined by David Shrimpton on this
>>> list a few weeks ago
>
> On 15.09.16 00:51, Reindl Harald wrote:
>> which is the whole point
>>
>> it's impossible to get them all catched with sgnatures because they
>> change all the time and so if you want to be sure you need to treat
>> every office macro as bad - they don't belong into emails these days
>>
>> frankly i have seen companies blocking every .doc and .xls attachment
>> with a reject info that you should use .docx and .xslx becasue they
>> can't contain macros (would be .docm for the new formats)
>
> .docm is docx with macros, so they would want to block them too :-)

did i say anything else?

i just pointed out that people even start to block FILETYPES which 
*could* contain macros



More information about the clamav-users mailing list