Hi, On Fri, Oct 14, 2016 at 9:11 AM, Axb <axb.li...@gmail.com> wrote: > On 10/14/2016 02:49 PM, Paul Stead wrote: >> >> >> On 03/10/16 21:30, John Hardin wrote: >>> >>> ClamAV is probably the correct approach to macro-based malware, unless >>> we want to do a MS Office document plugin with something like an eval >>> for has_macros(). >> >> >> ClamAV does allow macro detection, but it depends on the MTA glue used >> whether you can use this feature. >> >> With the feedback of Alex I've put together a plugin which detects the >> presence of a MS Office Macro with a few other bits. >> >> Testing shows to be speedy and reliable enough, though seemingly lots of >> legit emails have Macro attachments but this should help build >> metas/help detection. >> >> https://github.com/fmbla/spamassassin-olemacro >> >> - Detects macros - both old and new style >> - Basic 'malicious' macro detection >> - Protected (encrypted) document detection >> > > Paul, > This looks like a fine pre-Xmas gift :) > > How's the performance. I know you run hi traffic sites. > Have you felt a difference?
We also have not seen any noticeable performance issues. Have you guys thought about appropriate meta's to create using these? I was thinking about something involving bayes00 as a ham indicator, but I really don't have an idea of what characteristics are common among emails with actual macro viruses.