On 8/25/2016 3:10 PM, Steve Basford wrote:
Try this:
1) Enable OLE2BlockMacros and restart clamd
2) Use clamdscan to test your sample message and note the results
3) Disable OLE2BlockMacros and restart clamd
4) Use clamdscan to test your sample message again and note these results
Something else...
In amavisd-new there are virus_name_to_spam_score_maps
For example:
http://sanesecurity.com/support/problems/
If the setting to block macros is enable in ClamAV and is actually hitting,
it should hit with Heuristics.OLE2.ContainsMacros
But.. I don't think amavisd-new has a virus_name_to_spam_score_maps for
Heuristics.OLE2.ContainsMacros so, it might let the email through but
just mark it, instead of blocking it?
Eg...
# [ qr’^Heuristics\.OLE2\.ContainsMacros’
=> undef ],# keep as infected
Does that change things?
I think the issue is that he wants to block recognized viruses, but only
mark heuristic matches.
--
Bowie
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
