Sorry! This was my fault. As I wrote
The testmail was cleaned by PC antivirus program.
But I didn't notice (the filesize was the same as before). The word
macro was a virus, which was not recognized by antivirus program at the
beginning.
Later I had performed a test with Outlook and IMAP and the antivirus
program cleaned the mail in the imap folder of one server. But the file
was still attached to the mail and seemed not to be changed the macros
were deactivated anyway. So only only mails from the other server
actually contained macros.
Today I tested with a another file with macros and all mails were
blocked from both servers. Sorry again for this confusion.
2017-02-27 16:48, wrote Dino Edwards:
do you have amavis policy setup that may specify virus_lover set to Y
set on the server that accepts the macro enabled document by any
chance?
-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Monday, February 27, 2017 4:09 AM
To: Dino Edwards <[email protected]>
Cc: [email protected]; amavis-users
<[email protected]>
Subject: Re: Quarantine doc Files only with Macros?
The testmail was cleaned by PC antivirus program. Therefore this
strange behavior. No I tested with another file and mail was blocked
every time.
Kind Regards
Thomas
Am 2017-02-25 20:35, schrieb [email protected]:
There is no difference in $final_virus_destiny ( = D_DISCARD;) an
other settings concerning virus.
I guess something with whitelisting or bypassing local mail senders.
-----Original Message-----
2017-02-24 17:39, wrote Dino Edwards:
Strange indeed. Just spit balling here, is the $final_virus_destiny
in amavis on both servers set the same? Do you have amavis policies
set on the servers?
-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Friday, February 24, 2017 11:30 AM
To: Dino Edwards <[email protected]>
Cc: [email protected]; amavis-users
<[email protected]>
Subject: Re: Quarantine doc Files only with Macros?
You are right, we have two different linux servers with mailservers
and they are both set in the clamav config files like below but one
of them is blocking outbound OLE2 macro files and the other one only
blocks incoming OLE2 marco files?
Services clamav-daemon and amavis were restarted.
-----Original Message----- from Dino Edwards:
Did you restart clamav? So you have two mailservers and they are
both set in the clamav config files like below but one of them is
blocking outbound OLE2 macro files and the other one only blocks
incoming OLE2 marco files? Am I understanding this correctly?
-----Original Message-----
From: [email protected] [mailto:[email protected]]
Sent: Friday, February 24, 2017 11:04 AM
To: Dino Edwards <[email protected]>
Cc: [email protected]; amavis-users
<[email protected]>
Subject: Re: Quarantine doc Files only with Macros?
Both is set. I had to restart service amavis-daemon I think. But now
at one of two mailservers there is only outgoing mail blocked and at
the other only incoming mail.
Strange!
Am 2017-02-24 11:04, schrieb Dino Edwards:
I believe both of these have to be set to true in order for that to
work
ScanOLE2 true
OLE2BlockMacros true
-----Original Message-----
From: amavis-users
[mailto:[email protected]
rg ] On Behalf Of [email protected]
Sent: Friday, February 24, 2017 2:08 AM
To: [email protected]
Subject: Re: Quarantine doc Files only with Macros?
I turned on "OLE2BlockMacros true", but a word file containing a
macro virus was not classified as "INFECTED". I had renamed the
file before sending a test mail.
Any ideas what could I do to get all files with macros to be
quarantined?
Kind regards
Thomas
-----Original Message-----
From: amavis-users
[mailto:amavis-users-bounces+dino.edwards=mydirectmail.net@amavis.
or g ] On Behalf Of Hoyer-Reuther, Christian
Christian.Hoyer-Reuther at cac-chem.de wrote
Sent: Wednesday, December 14, 2016 11:42 AM
To: amavis-users at amavis.org
Subject: Quarantine doc Files only with Macros?
Hello Klaus,
if you use ClamAV, then you can set it's option "OLE2BlockMacros
true".
This detects MS
Office Macros regardless of the file extension. If a macro is
found, then the file is classified as a virus ("INFECTED:
Heuristics.OLE2.ContainsMacros").
Regards,
Christian
