On Fri, Oct 14, 2016 at 9:11 AM, Axb <axb.li...@gmail.com> wrote:
> On 10/14/2016 02:49 PM, Paul Stead wrote:
>> On 03/10/16 21:30, John Hardin wrote:
>>> ClamAV is probably the correct approach to macro-based malware, unless
>>> we want to do a MS Office document plugin with something like an eval
>>> for has_macros().
>> ClamAV does allow macro detection, but it depends on the MTA glue used
>> whether you can use this feature.
>> With the feedback of Alex I've put together a plugin which detects the
>> presence of a MS Office Macro with a few other bits.
>> Testing shows to be speedy and reliable enough, though seemingly lots of
>> legit emails have Macro attachments but this should help build
>> metas/help detection.
>> https://github.com/fmbla/spamassassin-olemacro
>> - Detects macros - both old and new style
>> - Basic 'malicious' macro detection
>> - Protected (encrypted) document detection
> Paul,
> This looks like a fine pre-Xmas gift :)
> How's the performance. I know you run hi traffic sites.
> Have you felt a difference?

We also have not seen any noticeable performance issues.

Have you guys thought about appropriate meta's to create using these?

I was thinking about something involving bayes00 as a ham indicator,
but I really don't have an idea of what characteristics are common
among emails with actual macro viruses.

Reply via email to