Hi, >> What's being done about blocking attacks from the new crylocker and >> the various types of cryptolocker?
> all that crap needs to make it somehow to the vicitims machine > http://sanesecurity.com/foxhole-databases/ Yes, I'm using all the third-party sigs, including sanesecurity, but they are still getting through. I was also curious about the specific signatures that exist to catch these, so I can watch for them in my logs. > use all of them and score any attachment with macros high combined with > bayes training if you can't reject it at all with a milter instance > > [root@mail-gw:/etc/clamd.d]$ cat scan.conf | grep -i ole > ScanOLE2 yes > OLE2BlockMacros no > > [root@mail-gw:/etc/clamd.d]$ cat scan-sa.conf | grep -i ole > ScanOLE2 yes > OLE2BlockMacros yes The problem with setting OLE2BlockMacros to yes is that if you don't implement your own signatures against macro code, setting OLE2BlockMacros Yes effectively causes Heuristics.OLE2.ContainsMacros to be returned and disables all official and unofficial signatures. If OLE2BlockMacros is Yes then the only option is to treat every file with macros as a virus and eg discard if you want to block the files that do contain a macro virus, as outlined by David Shrimpton on this list a few weeks ago. Unless that was your intent? Are you disabling the blocking of these viruses by scoring emails with macro attachments so high that they're quarantined? This doesn't appear to be what you're explaining, however, because you're advocating sanesecurity. Does anyone think it's reasonable/acceptable to block all macros in any sizable organization? This is an ongoing issue for us, while other systems with F-Secure appear to be blocking them all. *disclaimer* I know clamav isn't responsible for blocking, only marking. _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
