Hi everyone, has anyone aby idea on how to solve this? :|
Inbetween I found a workaround by overwriting the "virus_name_to_spam_score_maps" in my policy_bank, e.g.: $policy_bank{'FROM_INTERNAL'} = { ... virus_name_to_spam_score_maps => [new_RE( [ qr'^Heuristics\.OLE2\.ContainsMacros' => 0.001 ], )], }; However, I do not like this solution because the virus_name_to_spam_score_maps variable is defined in the amavisd main script, you can check this as follows: grep -A50 'virus_name_to_spam_score_maps =' /usr/sbin/amavisd Unfortunately I could not find a way how to only append that single line to the variable, so this means I would have to copy & paste the whole contents of the variable into my custom policy bank. This is something I would really like to avoid since it means that I would always have to check the contents of the "virus_name_to_spam_score_maps" variable whenever the amavisd-new package gets upgraded... Cheers Jan ----- Original Message ----- | From: "Jan Engels" <jan.eng...@desy.de> | To: amavis-users@amavis.org | Sent: Wednesday, September 4, 2019 1:05:24 PM | Subject: Handling Heuristics.OLE2.ContainsMacros in amavis policy banks | Hi everyone, | | I've configured ClamAV to block VBA macros by enabling the following option: | | /etc/clamd.d/amavisd.conf | | # With this option enabled OLE2 files containing VBA macros, which were not | # detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros". | AlertOLE2Macros yes | | | However, I would like to configure amavis to only block macros for external | mails, | i.e. not for MYNETS policy. ("MYNETS" is called "FROM_INTERNAL" in my | configuration, | see below.) | | | I've tried different things, for example redefined the ClamAV scanner in my | "FROM_INTERNAL" | policy bank: | | | $policy_bank{'FROM_INTERNAL'} = { | forward_method => 'smtp:[127.0.0.1]:10028', | av_scanners => [ | | ### http://www.clamav.net/ | ['ClamAV-clamd', | \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamd.amavisd/clamd.sock"], | qr/\bOK$/m, qr/\bFOUND$/m, | #qr/\b(OK|Heuristics\.OLE2\.ContainsMacros)$/m, qr/\bFOUND$/m, ### WHITELIST | MACROS NOT WORKING | qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ], | ], | #banned_filename_maps => ['DEFAULT'], | banned_filename_maps => ['BAN_RULES_FROM_INTERNAL'], | }; | | | And I've also tried to whitelist in banned_filename_maps: | | %banned_rules = ( | 'NO-MS-EXEC'=> new_RE( qr'^\.(exe-ms)$' ), | 'PASSALL' => new_RE( [qr'^' => 0] ), | 'ALLOW_EXE' => new_RE( qr'.\.(vbs|pif|scr|bat)$'i, [qr'^\.exe$' => 0] ), | 'ALLOW_VBS' => new_RE( [qr'.\.vbs$' => 0] ), | 'NO-VIDEO' => new_RE( qr'^\.movie$', | qr'.\.(asf|asx|mpg|mpe|mpeg|avi|mp3|wav|wma|wmf|wmv|mov|vob)$'i, ), | 'NO-MOVIES' => new_RE( qr'^\.movie$', qr'.\.(mpg|avi|mov)$'i, ), | 'MYNETS-DEFAULT' => new_RE( [ qr'^\.(rpm|cpio|tar)$' => 0 ], | qr'.\.(vbs|pif|scr)$'i, ), | 'DEFAULT' => $banned_filename_re, | 'BAN_RULES_FROM_INTERNAL' => new_RE( | [ qr'^\.(deb|cpio|rpm|pgp)$' => 0 ], # allowed file(1) types | [ qr'^application/pgp-encrypted$' => 0 ], # allow pgp encrypted mails | [ qr'^Heuristics\.OLE2\.ContainsMacros$' => 0 ], ### WHITELIST MACROS NOT | WORKING | #qr'^UNDECIPHERABLE$', | qr'^\.(exe|java|lha|cab|dll)$', # banned file(1) types | #qr'^application/x-msdownload$'i, # block these MIME types | qr'^application/x-msdos-program$'i, | qr'^application/hta$'i, | # block certain double extensions in filenames | qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i, | # banned extensions - long | qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|exe|fxp|grp|hlp|hta|inf|ins|isp|js|jse|lib|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi|msp|mst|ocx|ops|pcd|pif|prg|reg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd|wsc|wsf|wsh)$'ix, | qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i, # banned extension - WinZip vulnerab. | ), | ); | | | | You can see the lines ending with: "### WHITELIST MACROS NOT WORKING" | | | Any help would be greatly appreciated. | | Cheers | Jan
smime.p7s
Description: S/MIME Cryptographic Signature