HeuristicScanPrecedence No is broken with OLE2BlockMacros Yes. It only applies to signatures being run against uncompressed macros.
If there is a hit on one of those signatures , that signature hit is returned and not Heuristics.OLE2.ContainsMacros. Otherwise Heuristics.OLE2.ContainsMacros is returned and no other signatures are tried. This disables all the official and unofficial signatures that are not written again uncompressed macros , which is effectively all of them. There are few or no official signatures for macro viruses. The official signatures are of little value in protecting against macro viruses. Commercial antivirus products are also of little value particularly against 'zero day' exploits. Submit every new macro virus file you identify to one of the web based A/V scanning services that use multiple vendors products , if you do not believe this. One well known vendor sometimes responds to a submissions of macro virus docs advising they are only interested in the downloaded malware not the doc that downloads it. Re unofficial sigs , there are few or no unofficial signatures written against uncompressed macros. These signatures are not targeting the code and obfuscations being used by virus writers. You may have more success writing your own signatures based on macro code seen in viruses. As the code is often re-used , signatures written against macro code may provide better 'zero day' protection than other signatures eg unofficial or official ones. I think the main usefulness of clamav is not as an off the shelf A/V product whether supplemented by unofficial signature or not , but as a tool for implementing your own A/V ideas. If you implement your own signatures you will also have control over the aggressiveness of those signatures with respect to false positive, which you will not have with official or unofficial signatures. Overly aggressive signatures might however make sharing signatures a dis-service. It is worthwhile exercise to decode some examples from any unofficial signature database before using it and form your own opinion about the likelyhood of false positive. As the unofficial and official signatures are written after new viruses arrive they are generally too late to be of use in 'zero day' attacks. If you don't implement your own signatures against macro code, setting OLE2BlockMacros Yes effectively causes Heuristics.OLE2.ContainsMacros to be returned and disables all official and unofficial signatures. If OLE2BlockMacros is Yes then the only option is to treat every file with macros as a virus and eg discard if you want to block the files that do contain a macro virus. It might be argued that files with macros should be treated similarly to any other executeables shipped in email from outside your organization and discarded if that is your policy. Note , clamav returns the first signature hit unless -z option is used. The OLE2 signatures are run before any other signatures so OLE2BlockMacros Yes , causes Heuristics.OLE2.ContainsMacros to be returned first and all other signatures that are not against uncompressed macros are ignored. You only get one signature back and that is the first one hit, which may be a 'soft' signature ie one you mightn't discard an email on, such as Heuristics.OLE2.ContainsMacros, even though 'hard' signatures official or unofficial might also have hit if they had been run later . One useful strategy may be to combine the Heuristics.OLE2.ContainsMacros with other information from an email and discard files containing macros that are probably viruses eg invoices and resumes. The Heuristics.OLE2.ContainsMacros hits are arguably more useful in identifying potential macro viruses than is turning OLE2BlockMacros off and using the unofficial and official signatures. Clamav -z option is also broken for OLE2BlockMacros Yes and HeuristicScanPrecedence No. Only signatures matching uncompressed macros and Heuristics.OLE2.ContainsMacros are returned. All other official and unofficial signatures are ignored so not all the signatures that would match are returned. This is a bug/limitation. Logically HeuristicScanPrecedence should be ignored with -z. If clamav -z returned all the matches you could implement a "quality of service" type scheme and parse all the returned signature hits including Heuristics.OLE2.ContainsMacros and prioritize the results eg discard if a 'real' virus or just add a warning if only Heuristics.OLE2.ContainsMacros was returned. Or you could treat unofficial hits with more caution eg add warning only and official hits more aggressively eg discard. But -z is broken with OLE2 ,so you must decide to use OLE2BlockMacros and not official/unofficial signatures or not use OLE2BlockMacros. -- David Shrimpton _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
