On 8/25/2016 4:20 PM, Dennis Peterson wrote:
On 8/25/16 1:10 PM, Bowie Bailey wrote:
On 8/25/2016 3:10 PM, Steve Basford wrote:
Try this:
1) Enable OLE2BlockMacros and restart clamd
2) Use clamdscan to test your sample message and note the results
3) Disable OLE2BlockMacros and restart clamd
4) Use clamdscan to test your sample message again and note these
results
Something else...
In amavisd-new there are virus_name_to_spam_score_maps
For example:
http://sanesecurity.com/support/problems/
If the setting to block macros is enable in ClamAV and is actually
hitting,
it should hit with Heuristics.OLE2.ContainsMacros
But.. I don't think amavisd-new has a virus_name_to_spam_score_maps for
Heuristics.OLE2.ContainsMacros so, it might let the email through but
just mark it, instead of blocking it?
Eg...
# [ qr’^Heuristics\.OLE2\.ContainsMacros’
=> undef ],# keep as infected
Does that change things?
I think the issue is that he wants to block recognized viruses, but
only mark heuristic matches.
That would be a scoring task in Amavisd.
Right, but the issue is that files that should have been blocked as
viruses were instead marked and allowed through with heuristic matches.
A previous poster may have hit on the right answer. If he has enabled
HeuristicScanPrecedence in clamd.conf, that would explain this behavior.
--
Bowie
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
