Hi, >> I'm using spamassassin on fedora with amavisd. Is there something that >> can be done to at least tag them in some way so the end-user knows >> it's a potential threat? > > reject attachments with macros or add a clamd instance connected to the > clamav-sa-plugin with a high score as i told you after you asked the exactly > same on the SA mailing-list > > [root@mail-gw:/etc/clamd.d]$ cat scan.conf | grep OLE2BlockMacros > OLE2BlockMacros no > > [root@mail-gw:/etc/clamd.d]$ cat scan-sa.conf | grep OLE2BlockMacros > OLE2BlockMacros yes
Reindl, I appreciate your input, but I can't just outright reject docs with macros. We're also talking about password-protected Word documents here, not macro documents. However, it would be interesting to set up another instance of clamav in amavisd that could be used by spamassassin to indicate the attachment has a macro, then use meta rules to perhaps add a few points based on other characteristics. I also believe the OLE2BlockMacros/HeuristicScanPrecedence settings on clamav are confusing and otherwise broken. Are you aware of these issues, as they were outlined by David Shrimpton some time ago? I currently have HeuristicScanPrecedence and OLE2BlockMacros set to the default no. I'd just like the ability to classify files with Word macro viruses as such, while also marking non-virus macro attachments as just having macros, so I can build meta rules as I described above. Is that something that can be done? Ideas for how to actually implement it? Thanks, Alex _______________________________________________ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
