Re: [clamav-users] Whitelisting extensions for virus scan
Tilman Schmidt wrote: Am 29.10.18 um 17:33 schrieb Kris Deugau: Tilman Schmidt wrote: Am 26.10.18 um 15:34 schrieb Johnny Time: For exemple, we wanted to authorize only a white list which contains *.doc,*.xls,*.pdf and ban the others extensions. Surely you meant to write "*.docx,*.xlsx,*.pdf"? *.doc and *.xls are the old, malware-prone MS-Office filetypes. You don't want to let those pass, at least not without rigorous examination. In my experience, the new ones aren't any better. The "*m" ones (with macros) certainly aren't, but the "*x" ones (without macros) have so far never caused any trouble at our site. So we put mails with *.doc, *.xls, *.docm and *.xlsm attachments in quarantine, only releasing them upon request after manual inspection, but let *.docx and *.xlsx pass if the ClamAV scan turns up clean. I don't care enough to dig up what the formal spec (such as may exist) for these files is, but I see a regular trickle of .docx and a handful of .xlsx files that pop up a warning in OpenOffice about macros. I don't think I've seen any .docm or .xlsm for a while. Personally I'd be quite happy to ban them all outright, but customers get a little grouchy when they can't send or receive documents to their contacts... We scan them all, quarantine the ones that hit a signature, add local signatures as malicious examples get reported, use a handful of third-party signatures, and advise customers to make sure they keep an up-to-date antivirus package on their system - if only to make sure they're also protected against non-email malware. -kgd ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Whitelisting extensions for virus scan
Am 29.10.18 um 17:33 schrieb Kris Deugau: > Tilman Schmidt wrote: >> Am 26.10.18 um 15:34 schrieb Johnny Time: >>> For exemple, we wanted to authorize only a white list which contains >>> *.doc,*.xls,*.pdf and ban the others extensions. >> >> Surely you meant to write "*.docx,*.xlsx,*.pdf"? >> *.doc and *.xls are the old, malware-prone MS-Office filetypes. >> You don't want to let those pass, at least not without rigorous >> examination. > > In my experience, the new ones aren't any better. The "*m" ones (with macros) certainly aren't, but the "*x" ones (without macros) have so far never caused any trouble at our site. So we put mails with *.doc, *.xls, *.docm and *.xlsm attachments in quarantine, only releasing them upon request after manual inspection, but let *.docx and *.xlsx pass if the ClamAV scan turns up clean. T. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Whitelisting extensions for virus scan
I have been seeing malware a .doc "resumé" delivered by e-mail to the ClamXAV help desk several times a week recently. -Al- On Mon, Oct 29, 2018 at 10:08 AM, Jerry wrote: > On Mon, 29 Oct 2018 12:33:19 -0400, Kris Deugau stated: > >> Tilman Schmidt wrote: >>> Am 26.10.18 um 15:34 schrieb Johnny Time: For exemple, we wanted to authorize only a white list which contains *.doc,*.xls,*.pdf and ban the others extensions. >>> >>> Surely you meant to write "*.docx,*.xlsx,*.pdf"? >>> *.doc and *.xls are the old, malware-prone MS-Office filetypes. >>> You don't want to let those pass, at least not without rigorous >>> examination. >> >> In my experience, the new ones aren't any better. > > We have a a steady flow of "*.doc", "*.docx" "*.xlsx" and *.pdf" files > exchanged with other offices. I have not seen a virus in any of them since > 2010. Seems like you might be doing business with the wrong type of people. smime.p7s Description: S/MIME cryptographic signature ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Whitelisting extensions for virus scan
Jerry wrote: We have a a steady flow of "*.doc", "*.docx" "*.xlsx" and *.pdf" files exchanged with other offices. I have not seen a virus in any of them since 2010. Seems like you might be doing business with the wrong type of people. I work for an ISP, managing our mail filtering services. There are certainly legitimate Office document files being sent around, but there are plenty of malicious ones coming in too, and the "new" types are no guarantee the file is safe. I certainly wouldn't exclude them from scanning. -kgd ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Whitelisting extensions for virus scan
Am 26.10.18 um 15:34 schrieb Johnny Time: For exemple, we wanted to authorize only a white list which contains *.doc,*.xls,*.pdf and ban the others extensions. Tilman Schmidt wrote: Surely you meant to write "*.docx,*.xlsx,*.pdf"? *.doc and *.xls are the old, malware-prone MS-Office filetypes. You don't want to let those pass, at least not without rigorous examination. On Mon, 29 Oct 2018 12:33:19 -0400, Kris Deugau stated: In my experience, the new ones aren't any better. thus, they should be checked and quarantined/refused. On 29.10.18 13:08, Jerry wrote: We have a a steady flow of "*.doc", "*.docx" "*.xlsx" and *.pdf" files exchanged with other offices. I have not seen a virus in any of them since 2010. Seems like you might be doing business with the wrong type of people. wrong people may send viruses to random recipients, spreading viruses over the world. Happens for years... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "One World. One Web. One Program." - Microsoft promotional advertisement "Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Whitelisting extensions for virus scan
On Mon, 29 Oct 2018 12:33:19 -0400, Kris Deugau stated: >Tilman Schmidt wrote: >> Am 26.10.18 um 15:34 schrieb Johnny Time: >>> For exemple, we wanted to authorize only a white list which contains >>> *.doc,*.xls,*.pdf and ban the others extensions. >> >> Surely you meant to write "*.docx,*.xlsx,*.pdf"? >> *.doc and *.xls are the old, malware-prone MS-Office filetypes. >> You don't want to let those pass, at least not without rigorous >> examination. > >In my experience, the new ones aren't any better. We have a a steady flow of "*.doc", "*.docx" "*.xlsx" and *.pdf" files exchanged with other offices. I have not seen a virus in any of them since 2010. Seems like you might be doing business with the wrong type of people. -- Jerry ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Whitelisting extensions for virus scan
Tilman Schmidt wrote: Am 26.10.18 um 15:34 schrieb Johnny Time: For exemple, we wanted to authorize only a white list which contains *.doc,*.xls,*.pdf and ban the others extensions. Surely you meant to write "*.docx,*.xlsx,*.pdf"? *.doc and *.xls are the old, malware-prone MS-Office filetypes. You don't want to let those pass, at least not without rigorous examination. In my experience, the new ones aren't any better. -kgd ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Whitelisting extensions for virus scan
Am 26.10.18 um 15:34 schrieb Johnny Time: > For exemple, we wanted to authorize only a white list which contains > *.doc,*.xls,*.pdf and ban the others extensions. Surely you meant to write "*.docx,*.xlsx,*.pdf"? *.doc and *.xls are the old, malware-prone MS-Office filetypes. You don't want to let those pass, at least not without rigorous examination. Cheers, Tilman ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Whitelisting extensions for virus scan
Johnny Time wrote: Hi Folks, We use Clamav and we wonder if we can whitelist some extensions on our virus scan ? For exemple, we wanted to authorize only a white list which contains *.doc,*.xls,*.pdf and ban the others extensions. If you're looking to block all files except a limited set of extensions, this is probably better done a layer up in your mail flow. I call Clam from MIMEDefang, for instance, so I would configure MIMEDefang to reject mail that has any other file types attached. However, the three you've listed can all contain malware; you really don't want to *skip* scanning those. -kgd ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml