Re: Macro virus fun

2016-04-07 Thread Matt Garretson
On 4/6/2016 3:23 PM, Alex wrote: > Can you tell us more about the OLE2 result, and how you obtained it > from clamav, in hopes I could do something similar with amavis? IIRC, all you have to do is make sure your clamd.conf includes these two settings: ScanOLE2 yes OLE2BlockMacros yes

Re: Macro virus fun

2016-04-07 Thread David B Funk
On Wed, 6 Apr 2016, Alex wrote: Hi, On Wed, Apr 6, 2016 at 3:12 AM, wrote: Alex skrev den 2016-04-06 02:40: http://pastebin.com/FTzbQcHb The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav, but it's apparently not something that spamassassin can manipulate

Re: Macro virus fun

2016-04-06 Thread Alex
Hi, On Wed, Apr 6, 2016 at 12:14 PM, Matt Garretson wrote: > On 4/5/2016 8:40 PM, Alex wrote: >> These targeted macro viruses are killing us. I hoped someone would >> [...] >> What strategy are other people using to block zero-day macro viruses? > > I quarantine these

Re: Macro virus fun

2016-04-06 Thread Alex
Hi, On Wed, Apr 6, 2016 at 11:39 AM, John Hardin wrote: > On Wed, 6 Apr 2016, Alex wrote: > >> Yes, blocking all .doc files would be tough for us. However, maybe a >> rule that weights their existence them more heavily combined with >> something involving

Re: Macro virus fun

2016-04-06 Thread Matt Garretson
On 4/5/2016 8:40 PM, Alex wrote: > These targeted macro viruses are killing us. I hoped someone would > [...] > What strategy are other people using to block zero-day macro viruses? I quarantine these before they get to SA with some logic in mimedefang that combines the OLE2 result from clamav

Re: Macro virus fun

2016-04-06 Thread John Hardin
On Wed, 6 Apr 2016, Alex wrote: Yes, blocking all .doc files would be tough for us. However, maybe a rule that weights their existence them more heavily combined with something involving finance+money+invoices would be helpful. Would blocking with whitelist exceptions for expected sources

Re: Macro virus fun

2016-04-06 Thread Alex
Hi, On Wed, Apr 6, 2016 at 9:56 AM, Reindl Harald wrote: > Am 06.04.2016 um 15:53 schrieb RW: >> >> On Tue, 5 Apr 2016 20:40:20 -0400 >> Alex wrote: >> >>> These targeted macro viruses are killing us. I hoped someone would >>> like to take a shot at suggestions on how to

Re: Macro virus fun

2016-04-06 Thread Reindl Harald
Am 06.04.2016 um 15:53 schrieb RW: On Tue, 5 Apr 2016 20:40:20 -0400 Alex wrote: These targeted macro viruses are killing us. I hoped someone would like to take a shot at suggestions on how to stop these. http://pastebin.com/FTzbQcHb The Heuristics.OLE2.ContainsMacros rule is added by

Re: Macro virus fun

2016-04-06 Thread RW
On Tue, 5 Apr 2016 20:40:20 -0400 Alex wrote: > Hi all, > > These targeted macro viruses are killing us. I hoped someone would > like to take a shot at suggestions on how to stop these. > > http://pastebin.com/FTzbQcHb > > The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav, >

Re: Macro virus fun

2016-04-06 Thread Alex
Hi, On Wed, Apr 6, 2016 at 3:12 AM, wrote: > Alex skrev den 2016-04-06 02:40: > >> http://pastebin.com/FTzbQcHb >> >> The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav, >> but it's apparently not something that spamassassin can manipulate > > change clamd to block

Re: Macro virus fun

2016-04-06 Thread me
Alex skrev den 2016-04-06 02:40: http://pastebin.com/FTzbQcHb The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav, but it's apparently not something that spamassassin can manipulate change clamd to block this mail, or score this with highter score in amavisd, but blocking

Macro virus fun

2016-04-05 Thread Alex
Hi all, These targeted macro viruses are killing us. I hoped someone would like to take a shot at suggestions on how to stop these. http://pastebin.com/FTzbQcHb The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav, but it's apparently not something that spamassassin can manipulate