Hello, we use the settings posted by Dino and recently ClamAV detected MS office macros (Heuristics.OLE2.ContainsMacros) in several mails with attached pdf files. I guess these mails contained the Jaff ransomware.
Regards, Christian -----Original Message----- From: amavis-users [mailto:amavis-users-bounces+christian.hoyer-reuther=cac-chem...@amavis.org] On Behalf Of Dino Edwards Sent: Tuesday, May 30, 2017 4:17 PM To: amavis-users@amavis.org Subject: RE: block exe in pdf-files? I think you are right. Probably not. If you are using clamav, I wonder if setting the following in clamav would give you the desired result? ScanOLE2 true OLE2BlockMacros true ScanPDF true -----Original Message----- From: amavis-users [mailto:amavis-users-bounces+dino.edwards=mydirectmail....@amavis.org] On Behalf Of Jakob Curdes Sent: Tuesday, May 30, 2017 10:03 AM To: amavis-users@amavis.org Subject: Re: block exe in pdf-files? But would this work for a docm that needs to be extracted from a PDF? I was not aware that amavisd or the tolls it uses is able to extract stuff embedded in a pdf. JC Am 30.05.2017 um 15:38 schrieb Dino Edwards: > Have you tried the following in your file rule? > > [qr'.\.(docm)$'ix => 1], > [qr'.\.(dotm)$'ix => 1], > [qr'.\.(xlsm)$'ix => 1], > [qr'.\.(xltm)$'ix => 1] > > The above SHOULD Block macro enabled office docs. > > > -----Original Message----- > From: amavis-users > [mailto:amavis-users-bounces+dino.edwards=mydirectmail....@amavis.org] > On Behalf Of Daniel Rieken > Sent: Tuesday, May 30, 2017 9:02 AM > To: amavis-users@amavis.org > Subject: block exe in pdf-files? > > Hello, > > is it possible to block exe- or docm/xlsm/pptm-files inside of PDF-files? > > The new Jaff ransomware is sending a PDF-file with a docm inside this PDF. So > I would like to be able to block this emails with amavisd-new... > > > Cheers! > Daniel
