Re: [clamav-users] Understanding OLE2BlockMacros
HeuristicScanPrecedence No is broken with OLE2BlockMacros Yes. It only applies to signatures being run against uncompressed macros. If there is a hit on one of those signatures , that signature hit is returned and not Heuristics.OLE2.ContainsMacros. Otherwise Heuristics.OLE2.ContainsMacros is returned and no other signatures are tried. This disables all the official and unofficial signatures that are not written again uncompressed macros , which is effectively all of them. There are few or no official signatures for macro viruses. The official signatures are of little value in protecting against macro viruses. Commercial antivirus products are also of little value particularly against 'zero day' exploits. Submit every new macro virus file you identify to one of the web based A/V scanning services that use multiple vendors products , if you do not believe this. One well known vendor sometimes responds to a submissions of macro virus docs advising they are only interested in the downloaded malware not the doc that downloads it. Re unofficial sigs , there are few or no unofficial signatures written against uncompressed macros. These signatures are not targeting the code and obfuscations being used by virus writers. You may have more success writing your own signatures based on macro code seen in viruses. As the code is often re-used , signatures written against macro code may provide better 'zero day' protection than other signatures eg unofficial or official ones. I think the main usefulness of clamav is not as an off the shelf A/V product whether supplemented by unofficial signature or not , but as a tool for implementing your own A/V ideas. If you implement your own signatures you will also have control over the aggressiveness of those signatures with respect to false positive, which you will not have with official or unofficial signatures. Overly aggressive signatures might however make sharing signatures a dis-service. It is worthwhile exercise to decode some examples from any unofficial signature database before using it and form your own opinion about the likelyhood of false positive. As the unofficial and official signatures are written after new viruses arrive they are generally too late to be of use in 'zero day' attacks. If you don't implement your own signatures against macro code, setting OLE2BlockMacros Yes effectively causes Heuristics.OLE2.ContainsMacros to be returned and disables all official and unofficial signatures. If OLE2BlockMacros is Yes then the only option is to treat every file with macros as a virus and eg discard if you want to block the files that do contain a macro virus. It might be argued that files with macros should be treated similarly to any other executeables shipped in email from outside your organization and discarded if that is your policy. Note , clamav returns the first signature hit unless -z option is used. The OLE2 signatures are run before any other signatures so OLE2BlockMacros Yes , causes Heuristics.OLE2.ContainsMacros to be returned first and all other signatures that are not against uncompressed macros are ignored. You only get one signature back and that is the first one hit, which may be a 'soft' signature ie one you mightn't discard an email on, such as Heuristics.OLE2.ContainsMacros, even though 'hard' signatures official or unofficial might also have hit if they had been run later . One useful strategy may be to combine the Heuristics.OLE2.ContainsMacros with other information from an email and discard files containing macros that are probably viruses eg invoices and resumes. The Heuristics.OLE2.ContainsMacros hits are arguably more useful in identifying potential macro viruses than is turning OLE2BlockMacros off and using the unofficial and official signatures. Clamav -z option is also broken for OLE2BlockMacros Yes and HeuristicScanPrecedence No. Only signatures matching uncompressed macros and Heuristics.OLE2.ContainsMacros are returned. All other official and unofficial signatures are ignored so not all the signatures that would match are returned. This is a bug/limitation. Logically HeuristicScanPrecedence should be ignored with -z. If clamav -z returned all the matches you could implement a "quality of service" type scheme and parse all the returned signature hits including Heuristics.OLE2.ContainsMacros and prioritize the results eg discard if a 'real' virus or just add a warning if only Heuristics.OLE2.ContainsMacros was returned. Or you could treat unofficial hits with more caution eg add warning only and official hits more aggressively eg discard. But -z is broken with OLE2 ,so you must decide to use OLE2BlockMacros and not official/unofficial signatures or not use OLE2BlockMacros. -- David Shrimpton ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
On 8/25/2016 7:06 PM, Alex wrote: Hi, Try this: 1) Enable OLE2BlockMacros and restart clamd 2) Use clamdscan to test your sample message and note the results 3) Disable OLE2BlockMacros and restart clamd 4) Use clamdscan to test your sample message again and note these results Very constructive help, thank you. Here are the results with a file that has a macro virus: OLE2BlockMacros yes [root@juggernaut ~]# clamdscan -c /etc/clamd.d/amavisd.conf --fdpass /var/tmp/inv_5236420.doc /var/tmp/inv_5236420.doc: Heuristics.OLE2.ContainsMacros FOUND --- SCAN SUMMARY --- Infected files: 1 Time: 0.028 sec (0 m 0 s) OLE2BlockMacros no [root@juggernaut ~]# clamdscan -c /etc/clamd.d/amavisd.conf --fdpass /var/tmp/inv_5236420.doc /var/tmp/inv_5236420.doc: Sanesecurity.Badmacro.Doc.valloc.UNOFFICIAL FOUND --- SCAN SUMMARY --- Infected files: 1 Time: 0.272 sec (0 m 0 s) This is with HeuristicScanPrecedence set to the default No, but it appears to take precedence anyway, as the scan with OLE2BlockMacros set to Yes only reports that macros were found, not that a virus was found. I'm wondering if the unofficial signatures are being given a lower precedence than the official rules. Possibly the HeuristicScanPrecedence setting is setting heuristics at a lower precedence than the official rules, but still higher than the unofficial ones. Can anyone who knows more about the internals of ClamAV comment on this? -- Bowie ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
Hi, >>> Try this: >>> 1) Enable OLE2BlockMacros and restart clamd >>> 2) Use clamdscan to test your sample message and note the results >>> 3) Disable OLE2BlockMacros and restart clamd >>> 4) Use clamdscan to test your sample message again and note these results Very constructive help, thank you. Here are the results with a file that has a macro virus: OLE2BlockMacros yes [root@juggernaut ~]# clamdscan -c /etc/clamd.d/amavisd.conf --fdpass /var/tmp/inv_5236420.doc /var/tmp/inv_5236420.doc: Heuristics.OLE2.ContainsMacros FOUND --- SCAN SUMMARY --- Infected files: 1 Time: 0.028 sec (0 m 0 s) OLE2BlockMacros no [root@juggernaut ~]# clamdscan -c /etc/clamd.d/amavisd.conf --fdpass /var/tmp/inv_5236420.doc /var/tmp/inv_5236420.doc: Sanesecurity.Badmacro.Doc.valloc.UNOFFICIAL FOUND --- SCAN SUMMARY --- Infected files: 1 Time: 0.272 sec (0 m 0 s) This is with HeuristicScanPrecedence set to the default No, but it appears to take precedence anyway, as the scan with OLE2BlockMacros set to Yes only reports that macros were found, not that a virus was found. The motivation for me wanting to do this is because of the large number of macro viruses that are received before patterns are available to tag them as viruses, so they are getting through. I'd like this information to be available from within amavisd/spamassassin, so I can add points, and otherwise manipulate the file to make a decision on whether to forward it. >> For example: >> http://sanesecurity.com/support/problems/ >> >> If the setting to block macros is enable in ClamAV and is actually >> hitting, >> it should hit with Heuristics.OLE2.ContainsMacros >> >> But.. I don't think amavisd-new has a virus_name_to_spam_score_maps for >> Heuristics.OLE2.ContainsMacros so, it might let the email through but >> just mark it, instead of blocking it? >> >> Eg... >> >> # [ qr’^Heuristics\.OLE2\.ContainsMacros’ >> => undef ],# keep as infected >> >> Does that change things? No, it doesn't change things. I tried commenting it all out then redoing the OLE2BlockMacros tests. I have previously added the following to my amavisd.conf: @virus_name_to_spam_score_maps = (new_RE( # the order matters, first match wins [ qr'^Heuristics.OLE2.ContainsMacros'=> 0.1 ], )); I've also created several spamassassin rules that work off of that, but in conjunction with the clamav settings, it was causing even the attachments with macro viruses to be forwarded on. Thanks, Alex ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
Am 25.08.2016 um 20:39 schrieb Alex: Maybe I should have stated my question more simply: What is the purpose of the OLE2BlockMacros option? What happens when it's set to "Yes"? every message with a attachment containing macros hit clamd What happens when it's set to "No"? every message with a attachments containing macros don't hit clamd as long it don't hit a specfic signature what's that difficult to understand? signature.asc Description: OpenPGP digital signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
On Thu, August 25, 2016 9:20 pm, Dennis Peterson wrote: >> I think the issue is that he wants to block recognized viruses, but >> only mark heuristic matches. >> > That would be a scoring task in Amavisd. > Maybe... # [ qr’^’^Heuristics\.OLE2\.ContainsMacros’ => 0.1 ], So, allocate a score and deliver use HeuristicScanPrecedence as indicated in earlier post Cheers, Steve Web : sanesecurity.com Twitter: @sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
On 8/25/2016 4:20 PM, Dennis Peterson wrote: On 8/25/16 1:10 PM, Bowie Bailey wrote: On 8/25/2016 3:10 PM, Steve Basford wrote: Try this: 1) Enable OLE2BlockMacros and restart clamd 2) Use clamdscan to test your sample message and note the results 3) Disable OLE2BlockMacros and restart clamd 4) Use clamdscan to test your sample message again and note these results Something else... In amavisd-new there are virus_name_to_spam_score_maps For example: http://sanesecurity.com/support/problems/ If the setting to block macros is enable in ClamAV and is actually hitting, it should hit with Heuristics.OLE2.ContainsMacros But.. I don't think amavisd-new has a virus_name_to_spam_score_maps for Heuristics.OLE2.ContainsMacros so, it might let the email through but just mark it, instead of blocking it? Eg... # [ qr’^Heuristics\.OLE2\.ContainsMacros’ => undef ],# keep as infected Does that change things? I think the issue is that he wants to block recognized viruses, but only mark heuristic matches. That would be a scoring task in Amavisd. Right, but the issue is that files that should have been blocked as viruses were instead marked and allowed through with heuristic matches. A previous poster may have hit on the right answer. If he has enabled HeuristicScanPrecedence in clamd.conf, that would explain this behavior. -- Bowie ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
On 8/25/16 1:10 PM, Bowie Bailey wrote: On 8/25/2016 3:10 PM, Steve Basford wrote: Try this: 1) Enable OLE2BlockMacros and restart clamd 2) Use clamdscan to test your sample message and note the results 3) Disable OLE2BlockMacros and restart clamd 4) Use clamdscan to test your sample message again and note these results Something else... In amavisd-new there are virus_name_to_spam_score_maps For example: http://sanesecurity.com/support/problems/ If the setting to block macros is enable in ClamAV and is actually hitting, it should hit with Heuristics.OLE2.ContainsMacros But.. I don't think amavisd-new has a virus_name_to_spam_score_maps for Heuristics.OLE2.ContainsMacros so, it might let the email through but just mark it, instead of blocking it? Eg... # [ qr’^Heuristics\.OLE2\.ContainsMacros’ => undef ],# keep as infected Does that change things? I think the issue is that he wants to block recognized viruses, but only mark heuristic matches. That would be a scoring task in Amavisd. dp ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
On 8/25/2016 3:10 PM, Steve Basford wrote: Try this: 1) Enable OLE2BlockMacros and restart clamd 2) Use clamdscan to test your sample message and note the results 3) Disable OLE2BlockMacros and restart clamd 4) Use clamdscan to test your sample message again and note these results Something else... In amavisd-new there are virus_name_to_spam_score_maps For example: http://sanesecurity.com/support/problems/ If the setting to block macros is enable in ClamAV and is actually hitting, it should hit with Heuristics.OLE2.ContainsMacros But.. I don't think amavisd-new has a virus_name_to_spam_score_maps for Heuristics.OLE2.ContainsMacros so, it might let the email through but just mark it, instead of blocking it? Eg... # [ qr’^Heuristics\.OLE2\.ContainsMacros’ => undef ],# keep as infected Does that change things? I think the issue is that he wants to block recognized viruses, but only mark heuristic matches. -- Bowie ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
> > Try this: > 1) Enable OLE2BlockMacros and restart clamd > 2) Use clamdscan to test your sample message and note the results > 3) Disable OLE2BlockMacros and restart clamd > 4) Use clamdscan to test your sample message again and note these results > > Something else... In amavisd-new there are virus_name_to_spam_score_maps For example: http://sanesecurity.com/support/problems/ If the setting to block macros is enable in ClamAV and is actually hitting, it should hit with Heuristics.OLE2.ContainsMacros But.. I don't think amavisd-new has a virus_name_to_spam_score_maps for Heuristics.OLE2.ContainsMacros so, it might let the email through but just mark it, instead of blocking it? Eg... # [ qr’^Heuristics\.OLE2\.ContainsMacros’ => undef ],# keep as infected Does that change things? Cheers, Steve Web : sanesecurity.com Twitter: @sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
On 8/25/2016 2:39 PM, Alex wrote: Hi, When this option is set to Yes, the emails are tagged, but even emails with macro virus attachments are forwarded on, not blocked problem is that you don't understand your mailsystem, clamd itself only hives back with signatures are hit and then the glue (amavis oder clamav-milter or something like that) makes decisions what happens with the message No, I understand my mail system. You are assuming I don't understand the mail system because it's easy for you to answer in that way rather than look at the whole context of the post. I never said that I expected clamav to actually block the viruses itself. Of course I understand amavisd is responsible for that. In case there was some confusion before, let it be known I understand clamav is not responsible for the destiny of the email. I'm talking about the clamav option OLE2BlockMacros option. This is a clamav option, not an amavis option. Maybe I should have stated my question more simply: What is the purpose of the OLE2BlockMacros option? What happens when it's set to "Yes"? What happens when it's set to "No"? What seems to be missing from this discussion is any kind of concrete troubleshooting. You say that when you enable OLE2BlockMacros that messages that should have been blocked by a third party signature are allowed through. Do you have one of those messages saved that you can test with? Try this: 1) Enable OLE2BlockMacros and restart clamd 2) Use clamdscan to test your sample message and note the results 3) Disable OLE2BlockMacros and restart clamd 4) Use clamdscan to test your sample message again and note these results This will show you the difference in the results with OLE2BlockMacros enabled vs disabled and may help in determining the problem. -- Bowie ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
In the source code for clamd this is found:
if(optget(opts, "ScanOLE2")->enabled) {
logg("OLE2 support enabled.\n");
options |= CL_SCAN_OLE2;
if(optget(opts, "OLE2BlockMacros")->enabled) {
logg("OLE2: Blocking all VBA macros.\n");
options |= CL_SCAN_BLOCKMACROS;
}
} else {
logg("OLE2 support disabled.\n");
}
It would appear the option, of set, returns a positive hit for any VBA macro.
This action also requires ScanOLE2 option be enabled (which is the default).
dp
On 8/25/16 11:39 AM, Alex wrote:
Hi,
When this option is set to Yes, the
emails are tagged, but even emails with macro virus attachments are
forwarded on, not blocked
problem is that you don't understand your mailsystem, clamd itself only
hives back with signatures are hit and then the glue (amavis oder
clamav-milter or something like that) makes decisions what happens with the
message
No, I understand my mail system. You are assuming I don't understand
the mail system because it's easy for you to answer in that way rather
than look at the whole context of the post. I never said that I
expected clamav to actually block the viruses itself. Of course I
understand amavisd is responsible for that. In case there was some
confusion before, let it be known I understand clamav is not
responsible for the destiny of the email.
I'm talking about the clamav option OLE2BlockMacros option. This is a
clamav option, not an amavis option.
Maybe I should have stated my question more simply:
What is the purpose of the OLE2BlockMacros option? What happens when
it's set to "Yes"? What happens when it's set to "No"?
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
On 8/25/2016 1:39 PM, Alex wrote: > Hi, > >>> When this option is set to Yes, the >>> emails are tagged, but even emails with macro virus attachments are >>> forwarded on, not blocked >> >> problem is that you don't understand your mailsystem, clamd itself only >> hives back with signatures are hit and then the glue (amavis oder >> clamav-milter or something like that) makes decisions what happens with the >> message > > No, I understand my mail system. You are assuming I don't understand > the mail system because it's easy for you to answer in that way rather > than look at the whole context of the post. I never said that I > expected clamav to actually block the viruses itself. Of course I > understand amavisd is responsible for that. In case there was some > confusion before, let it be known I understand clamav is not > responsible for the destiny of the email. > > I'm talking about the clamav option OLE2BlockMacros option. This is a > clamav option, not an amavis option. > > Maybe I should have stated my question more simply: > > What is the purpose of the OLE2BlockMacros option? What happens when > it's set to "Yes"? What happens when it's set to "No"? > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > Perhaps you missed this setting: # Allow heuristic match to take precedence. # When enabled, if a heuristic scan (such as phishingScan) detects # a possible virus/phish it will stop scan immediately. Recommended, saves CPU # scan-time. # When disabled, virus/phish detected by heuristic scans will be reported only at # the end of a scan. If an archive contains both a heuristically detected # virus/phish, and a real malware, the real malware will be reported # # Keep this disabled if you intend to handle "*.Heuristics.*" viruses # differently from "real" malware. # If a non-heuristically-detected virus (signature-based) is found first, # the scan is interrupted immediately, regardless of this config option. # # Default: no #HeuristicScanPrecedence yes ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
Hi, >> When this option is set to Yes, the >> emails are tagged, but even emails with macro virus attachments are >> forwarded on, not blocked > > problem is that you don't understand your mailsystem, clamd itself only > hives back with signatures are hit and then the glue (amavis oder > clamav-milter or something like that) makes decisions what happens with the > message No, I understand my mail system. You are assuming I don't understand the mail system because it's easy for you to answer in that way rather than look at the whole context of the post. I never said that I expected clamav to actually block the viruses itself. Of course I understand amavisd is responsible for that. In case there was some confusion before, let it be known I understand clamav is not responsible for the destiny of the email. I'm talking about the clamav option OLE2BlockMacros option. This is a clamav option, not an amavis option. Maybe I should have stated my question more simply: What is the purpose of the OLE2BlockMacros option? What happens when it's set to "Yes"? What happens when it's set to "No"? ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
Am 24.08.2016 um 21:37 schrieb Alex: It appears that using OLE2BlockMacros causes attachments with macros, viruses or not, to just be marked by amavis with the Heuristics.OLE2.ContainsMacros. However, when it's set it no longer blocks them but forwards them on. Is this the intended behavior? "Heuristics.OLE2.ContainsMacros" does excatly what th eoption says - it hits on attachments which contain *any* macro Is there no way to configure it to mark emails with macro attachments and block the ones with macro attachments with viruses? known viruses are hit by signatures and so on - the whole purpose of Heuristics is to hit one *unknown* incarnations I don't believe that's true we are far away from believing here When this option is set to Yes, the emails are tagged, but even emails with macro virus attachments are forwarded on, not blocked problem is that you don't understand your mailsystem, clamd itself only hives back with signatures are hit and then the glue (amavis oder clamav-milter or something like that) makes decisions what happens with the message this is NOT a clamav topic again: this is a amavis topic For example, yesterday there were hundreds of the Sanesecurity.Badmacro.Doc.valloc virus received. The system with OLE2BlockMacros enabled forwarded these on to the user, then fix your system which is *using* clamav on my spamassassin setup they hit clamd (one of 2 instances with different signatures and settings) and hence get 6.0 points - period signature.asc Description: OpenPGP digital signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
ClamAV has no part in tagging, forwarding, or deleting. It simply tells the calling process what the result of the scan was. It is left to the calling process to deal with it per local policy. dp On 8/24/16 12:37 PM, Alex wrote: Hi, It appears that using OLE2BlockMacros causes attachments with macros, viruses or not, to just be marked by amavis with the Heuristics.OLE2.ContainsMacros. However, when it's set it no longer blocks them but forwards them on. Is this the intended behavior? "Heuristics.OLE2.ContainsMacros" does excatly what th eoption says - it hits on attachments which contain *any* macro Is there no way to configure it to mark emails with macro attachments and block the ones with macro attachments with viruses? known viruses are hit by signatures and so on - the whole purpose of Heuristics is to hit one *unknown* incarnations I don't believe that's true. When this option is set to Yes, the emails are tagged, but even emails with macro virus attachments are forwarded on, not blocked. For example, yesterday there were hundreds of the Sanesecurity.Badmacro.Doc.valloc virus received. The system with OLE2BlockMacros enabled forwarded these on to the user, bypassing the scanning entirely. The systems with OLE2BlockMacros disabled caught every one of the valloc viruses and prevented them from being forwarded on to the users. I have the following setting in amavis: @virus_name_to_spam_score_maps = (new_RE( # the order matters, first match wins [ qr'^Heuristics.OLE2.ContainsMacros'=> 1.1 ], )); However, I expect that this is for emails which have macro attachments, and like you say, unknown whether they are viruses. I would never expect an email with a virus attachment to be forwarded on unless I'm explicitly requesting that. Please don't send me to the amavis list - there must be someone who uses both clamav and amavis that understands what's happening here. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
Alex wrote: > Please don't send me to the amavis list - there must be someone who > uses both clamav and amavis that understands what's happening here. Much like SpamAssassin, Clamav in and of itself can only say "Matched signature " or "Triggered heuristic test ", or "Didn't match anything". It's up to whatever is calling Clam to decide what to do with that result. Many common integration methods for both are simple enough that they don't have any way of postprocessing the result from SA or Clam (and therefore treat those results as go/no-go flags), but AFAIK amavis should be able to give you more flexibility - something best asked about on the amavis users list. -kgd ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
Hi, >> It appears that using OLE2BlockMacros causes attachments with macros, >> viruses or not, to just be marked by amavis with the >> Heuristics.OLE2.ContainsMacros. However, when it's set it no longer >> blocks them but forwards them on. >> >> Is this the intended behavior? > > "Heuristics.OLE2.ContainsMacros" does excatly what th eoption says - it hits > on attachments which contain *any* macro > >> Is there no way to configure it to mark emails with macro attachments >> and block the ones with macro attachments with viruses? > > known viruses are hit by signatures and so on - the whole purpose of > Heuristics is to hit one *unknown* incarnations I don't believe that's true. When this option is set to Yes, the emails are tagged, but even emails with macro virus attachments are forwarded on, not blocked. For example, yesterday there were hundreds of the Sanesecurity.Badmacro.Doc.valloc virus received. The system with OLE2BlockMacros enabled forwarded these on to the user, bypassing the scanning entirely. The systems with OLE2BlockMacros disabled caught every one of the valloc viruses and prevented them from being forwarded on to the users. I have the following setting in amavis: @virus_name_to_spam_score_maps = (new_RE( # the order matters, first match wins [ qr'^Heuristics.OLE2.ContainsMacros'=> 1.1 ], )); However, I expect that this is for emails which have macro attachments, and like you say, unknown whether they are viruses. I would never expect an email with a virus attachment to be forwarded on unless I'm explicitly requesting that. Please don't send me to the amavis list - there must be someone who uses both clamav and amavis that understands what's happening here. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
Am 24.08.2016 um 18:12 schrieb Alex: I'm using clamav on fedora23 with amavisd-new and would like to tag each email that contains macros with Heuristics.OLE2.ContainsMacros. I've enabled OLE2BlockMacros, but it appears it actually lets them through instead of blocking them outright when this setting is made. What is the proper configuration of clamav to tag all emails with macro attachments with Heuristics.OLE2.ContainsMacros as well as block those emails with attachments that contain macro viruses? clamav don't block or tag anything - that's better suited as a question at the amavisd-new list, however normally you raise the score to a level where amavisd-new or spamassassin starts to tag I'm using clamav with amavis to block them outright. It appears that using OLE2BlockMacros causes attachments with macros, viruses or not, to just be marked by amavis with the Heuristics.OLE2.ContainsMacros. However, when it's set it no longer blocks them but forwards them on. Is this the intended behavior? "Heuristics.OLE2.ContainsMacros" does excatly what th eoption says - it hits on attachments which contain *any* macro Is there no way to configure it to mark emails with macro attachments and block the ones with macro attachments with viruses? known viruses are hit by signatures and so on - the whole purpose of Heuristics is to hit one *unknown* incarnations signature.asc Description: OpenPGP digital signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
Hi, >> I'm using clamav on fedora23 with amavisd-new and would like to tag >> each email that contains macros with Heuristics.OLE2.ContainsMacros. >> I've enabled OLE2BlockMacros, but it appears it actually lets them >> through instead of blocking them outright when this setting is made. >> >> What is the proper configuration of clamav to tag all emails with >> macro attachments with Heuristics.OLE2.ContainsMacros as well as block >> those emails with attachments that contain macro viruses? > > clamav don't block or tag anything - that's better suited as a question at > the amavisd-new list, however normally you raise the score to a level where > amavisd-new or spamassassin starts to tag I'm using clamav with amavis to block them outright. It appears that using OLE2BlockMacros causes attachments with macros, viruses or not, to just be marked by amavis with the Heuristics.OLE2.ContainsMacros. However, when it's set it no longer blocks them but forwards them on. Is this the intended behavior? Is there no way to configure it to mark emails with macro attachments and block the ones with macro attachments with viruses? ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
Am 24.08.2016 um 01:14 schrieb Alex:
I'm using clamav on fedora23 with amavisd-new and would like to tag
each email that contains macros with Heuristics.OLE2.ContainsMacros.
I've enabled OLE2BlockMacros, but it appears it actually lets them
through instead of blocking them outright when this setting is made.
What is the proper configuration of clamav to tag all emails with
macro attachments with Heuristics.OLE2.ContainsMacros as well as block
those emails with attachments that contain macro viruses?
clamav don't block or tag anything - that's better suited as a question
at the amavisd-new list, however normally you raise the score to a level
where amavisd-new or spamassassin starts to tag
___
example of NON-AMAVIS setup with a non.default SA-plugin
cat /etc/mail/spamassassin/clamav.cf
ifplugin Mail::SpamAssassin::Plugin::ClamAV
full CLAMAV_JNK eval:check_clamav('/run/clamd/clamd-sa.sock')
describe CLAMAV_JNK ClamAV detected malware/phishing/junk
priority CLAMAV_JNK 800
score CLAMAV_JNK 6.0
full CLAMAV_MLW eval:check_clamav('/run/clamd/clamd.sock')
describe CLAMAV_MLW ClamAV detected malware/phishing
priority CLAMAV_MLW 800
score CLAMAV_MLW 9.9
endif
signature.asc
Description: OpenPGP digital signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
[clamav-users] Understanding OLE2BlockMacros
Hi, I'm using clamav on fedora23 with amavisd-new and would like to tag each email that contains macros with Heuristics.OLE2.ContainsMacros. I've enabled OLE2BlockMacros, but it appears it actually lets them through instead of blocking them outright when this setting is made. What is the proper configuration of clamav to tag all emails with macro attachments with Heuristics.OLE2.ContainsMacros as well as block those emails with attachments that contain macro viruses? Hopefully this is clear. Thanks, Alex ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
