I guess a bigger question is, is there a legitimate reason to allow your users to receive macro enabled word docs? As far as encrypted word docs or pdfs or such you can always turn mark encrypted archives as viruses and effectively block them. Anything encrypted like that it's obviously trying to hide the content because it's either malicious or it's trying to encrypt sensitive information. If it's legitimate, a proper encrypted email solution would work much better.
Point is, I don't care what AV solution you are using, some of them are going to get through no matter what. Hackers are getting slicker by the day, their methods are getting better and better. The AV industry is always trying to play catch-up. Is that an acceptable risk to your organization? You need to take steps to block as much as possible and let AV be the very last resort. If you are counting on your AV to protect everything you are going to get screwed in the end. It's as simple as that. In my organization we have deployed Snort IDS, DLP to prevent leaks, AV on the endpoints and servers, we do SSL decyption to look at all the encrypted traffic, Fireye appliances to look for advanced malware on the network, another layer with Palo Alto Wildfire and Antivirus at the perimeter, AV/spam filter for e-mail, AV on the e-mail server and after ALL that, things still manage to get in. It's a cat and mouse game. Nothing is ever perfect. You can always start blocking .doc files, since let's face it, nobody should be using those 13-year old old file formats and if they are, they need to stop. Most of that malware comes through as .doc or .rtf files. -----Original Message----- From: amavis-users [mailto:[email protected]] On Behalf Of Alex Sent: Friday, April 14, 2017 3:03 PM To: [email protected] Subject: Re: Virus scanners with amavis and fedora Hi, On Fri, Apr 14, 2017 at 11:00 AM, Dino Edwards <[email protected]> wrote: > I mean what specific issues are you having? Do you have Macro enabled > encrypted word documents, encrypted PDFs? The reason I'm asking is > because there MAY be things you can do already with Amavis and clamav to > block a lot of those things. Do you mean have I configured clamav to scan for these? Or do you mean simply have I received macro-enabled encrypted Word docs? Yes, I have received quite a few. I've also configured clamav for ScanOLE2. OLE2BlockMacros is disabled because it then doesn't scan them at all, only marks them as having macros. Thanks, Alex
