Re: Macro virus fun
On 4/6/2016 3:23 PM, Alex wrote: > Can you tell us more about the OLE2 result, and how you obtained it > from clamav, in hopes I could do something similar with amavis? IIRC, all you have to do is make sure your clamd.conf includes these two settings: ScanOLE2 yes OLE2BlockMacros yes Then, according to the clamd.conf manpage, 'OLE2 files with VBA macros, which were not detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".' Since I call clam from mimedefang, I just pattern-match for that hit string and act accordingly. We are getting a bit OT from SA, but hopefully that can help you get going.
Re: Macro virus fun
On Wed, 6 Apr 2016, Alex wrote: Hi, On Wed, Apr 6, 2016 at 3:12 AM,wrote: Alex skrev den 2016-04-06 02:40: http://pastebin.com/FTzbQcHb The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav, but it's apparently not something that spamassassin can manipulate change clamd to block this mail, or score this with highter score in amavisd, but blocking only make sense if you use amavisd-milter so it would reject if it contains macros, here i just use clamav-milter not amavisd its not spam, its really malware, handle is so is suggested This one may be spam/malware, but the vast majority of them are not. Blocking all files with macros is an obvious solution, but not a good one. Is it even possible to use SA to create a rule based on whether it contains an attachment that has macros? At least then we could create more aggressive meta rules. FWIW, Your example hits on the Sanesecurity custom ClamAV defs (specifically Sanesecurity.Badmacro.Doc.objl.UNOFFICIAL). I have two instances of ClamAV running; One with just the stock defs from ClamAV which I use in a front-end milter to outright SMTP-reject any detected viri. The second has all the algorithmic, PUAs, etc bells-&-whistles activated plus a full set of 3'rd party "unofficial" defs (Sanesecurity, winnow, bofhland, etc) that is just used thru the SA Clamav.pm plugin. That adds a custom 'X-Spam-Clamav' header to the message that contains the name of the def that fired. I then have SA rules to score against based upon that. So for example, "Sanesecurity.Badmacro" can be used to trigger a rule to hit messages which need to be quarantined, etc. You could create a custom ClamAV def that would look for any kind of macro inside the various popular documents (.doc, .rtf, .pdf, etc) (ClamAV is good at knowing how to unpack/scan attachments, so use it as a scanning engine). You could the craft special handling based upon the detection of said macros. (delivery time quarantining etc). -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: Macro virus fun
Hi, On Wed, Apr 6, 2016 at 12:14 PM, Matt Garretsonwrote: > On 4/5/2016 8:40 PM, Alex wrote: >> These targeted macro viruses are killing us. I hoped someone would >> [...] >> What strategy are other people using to block zero-day macro viruses? > > I quarantine these before they get to SA with some logic in mimedefang > that combines the OLE2 result from clamav with bogofilter scores and a > couple arbitary pattern matches that i update as needed. Can you tell us more about the OLE2 result, and how you obtained it from clamav, in hopes I could do something similar with amavis?
Re: Macro virus fun
Hi, On Wed, Apr 6, 2016 at 11:39 AM, John Hardinwrote: > On Wed, 6 Apr 2016, Alex wrote: > >> Yes, blocking all .doc files would be tough for us. However, maybe a >> rule that weights their existence them more heavily combined with >> something involving finance+money+invoices would be helpful. > > Would blocking with whitelist exceptions for expected sources work for you? Unfortunately not. It's a business with a lot of little vendors, apparently. I'm surprised at just how many legitimate senders use junk email addresses like jo...@cox.net to send actual invoices for services. Thanks, Alex
Re: Macro virus fun
On 4/5/2016 8:40 PM, Alex wrote: > These targeted macro viruses are killing us. I hoped someone would > [...] > What strategy are other people using to block zero-day macro viruses? I quarantine these before they get to SA with some logic in mimedefang that combines the OLE2 result from clamav with bogofilter scores and a couple arbitary pattern matches that i update as needed.
Re: Macro virus fun
On Wed, 6 Apr 2016, Alex wrote: Yes, blocking all .doc files would be tough for us. However, maybe a rule that weights their existence them more heavily combined with something involving finance+money+invoices would be helpful. Would blocking with whitelist exceptions for expected sources work for you? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The Tea Party wants to remove the Crony from Crony Capitalism. OWS wants to remove Capitalism from Crony Capitalism. -- Astaghfirullah --- 7 days until Thomas Jefferson's 273rd Birthday
Re: Macro virus fun
Hi, On Wed, Apr 6, 2016 at 9:56 AM, Reindl Haraldwrote: > Am 06.04.2016 um 15:53 schrieb RW: >> >> On Tue, 5 Apr 2016 20:40:20 -0400 >> Alex wrote: >> >>> These targeted macro viruses are killing us. I hoped someone would >>> like to take a shot at suggestions on how to stop these. >>> >>> http://pastebin.com/FTzbQcHb >>> >>> The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav, >>> but it's apparently not something that spamassassin can manipulate >>> once it's been added. In other words, it can't be used in a meta or to >>> make spam/ham decisions, only add to the existing score. >> >> >> Do you need to allow attachments with a .doc extension? >> >> The last version of word that saved in this format was in Office 2003 >> and the last version of wordpad was in XP. Both have been out of >> mainstream support for 7 years and stopped getting security updates 2 >> years ago > > > sadly in the real world if it comes to business customers you don't get rid > of .doc in a near future, be it because outdated office versions or in the > past changed defaults to save in teh old formats to ensure others with older > (at that moment supported versions) can open your documents Yes, blocking all .doc files would be tough for us. However, maybe a rule that weights their existence them more heavily combined with something involving finance+money+invoices would be helpful.
Re: Macro virus fun
Am 06.04.2016 um 15:53 schrieb RW: On Tue, 5 Apr 2016 20:40:20 -0400 Alex wrote: These targeted macro viruses are killing us. I hoped someone would like to take a shot at suggestions on how to stop these. http://pastebin.com/FTzbQcHb The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav, but it's apparently not something that spamassassin can manipulate once it's been added. In other words, it can't be used in a meta or to make spam/ham decisions, only add to the existing score. Do you need to allow attachments with a .doc extension? The last version of word that saved in this format was in Office 2003 and the last version of wordpad was in XP. Both have been out of mainstream support for 7 years and stopped getting security updates 2 years ago sadly in the real world if it comes to business customers you don't get rid of .doc in a near future, be it because outdated office versions or in the past changed defaults to save in teh old formats to ensure others with older (at that moment supported versions) can open your documents as mailadmin you are hardly in the position to educate all the outside world sending mails to your customers signature.asc Description: OpenPGP digital signature
Re: Macro virus fun
On Tue, 5 Apr 2016 20:40:20 -0400 Alex wrote: > Hi all, > > These targeted macro viruses are killing us. I hoped someone would > like to take a shot at suggestions on how to stop these. > > http://pastebin.com/FTzbQcHb > > The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav, > but it's apparently not something that spamassassin can manipulate > once it's been added. In other words, it can't be used in a meta or to > make spam/ham decisions, only add to the existing score. Do you need to allow attachments with a .doc extension? The last version of word that saved in this format was in Office 2003 and the last version of wordpad was in XP. Both have been out of mainstream support for 7 years and stopped getting security updates 2 years ago.
Re: Macro virus fun
Hi, On Wed, Apr 6, 2016 at 3:12 AM,wrote: > Alex skrev den 2016-04-06 02:40: > >> http://pastebin.com/FTzbQcHb >> >> The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav, >> but it's apparently not something that spamassassin can manipulate > > change clamd to block this mail, or score this with highter score in > amavisd, but blocking only make sense if you use amavisd-milter so it would > reject if it contains macros, here i just use clamav-milter not amavisd > > its not spam, its really malware, handle is so is suggested This one may be spam/malware, but the vast majority of them are not. Blocking all files with macros is an obvious solution, but not a good one. Is it even possible to use SA to create a rule based on whether it contains an attachment that has macros? At least then we could create more aggressive meta rules. Thanks, Alex
Re: Macro virus fun
Alex skrev den 2016-04-06 02:40: http://pastebin.com/FTzbQcHb The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav, but it's apparently not something that spamassassin can manipulate change clamd to block this mail, or score this with highter score in amavisd, but blocking only make sense if you use amavisd-milter so it would reject if it contains macros, here i just use clamav-milter not amavisd its not spam, its really malware, handle is so is suggested
Macro virus fun
Hi all, These targeted macro viruses are killing us. I hoped someone would like to take a shot at suggestions on how to stop these. http://pastebin.com/FTzbQcHb The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav, but it's apparently not something that spamassassin can manipulate once it's been added. In other words, it can't be used in a meta or to make spam/ham decisions, only add to the existing score. Is there a spamassassin rule that identifies attachments with macros in them? What strategy are other people using to block zero-day macro viruses? You'll notice the attachment still isn't being detected by clamav proper (no surprise, really), and was only just now submitted to Steve at sanesecurity. It appears some companies are quarantining any files with macros in them for some period of time until they can be deconstructed and analyzed (sandbox, etc). Are any SA users doing that? I'm sure I could build a body rule, but that's kind of playing whack-a-mole. I wondered what more general solutions people had that might detect/block these. Body rules are also welcomed, of course. Thanks, Alex