Am 05.10.2016 um 20:02 schrieb Alex:
I'm using spamassassin on fedora with amavisd. Is there something that
can be done to at least tag them in some way so the end-user knows
it's a potential threat?
reject attachments with macros or add a clamd instance connected to the
clamav-sa-plugin with a high score as i told you after you asked the exactly
same on the SA mailing-list
[root@mail-gw:/etc/clamd.d]$ cat scan.conf | grep OLE2BlockMacros
OLE2BlockMacros no
[root@mail-gw:/etc/clamd.d]$ cat scan-sa.conf | grep OLE2BlockMacros
OLE2BlockMacros yes
Reindl, I appreciate your input, but I can't just outright reject docs
with macros. We're also talking about password-protected Word
documents here, not macro documents
guess why i fixed the clamav-plugin for spamassassin and there are *two*
instances like you can see above...
reject is above 8.0 and the rest is done by bayes to avoid FP and other
rules to make sure it's crap
[root@mail-gw:/etc/mail/spamassassin]$ cat clamav.cf
ifplugin Mail::SpamAssassin::Plugin::ClamAV
full CLAMAV_JNK eval:check_clamav('/run/clamd/clamd-sa.sock')
describe CLAMAV_JNK ClamAV detected malware/phishing/junk
priority CLAMAV_JNK 800
score CLAMAV_JNK 6.0
full CLAMAV_MLW eval:check_clamav('/run/clamd/clamd.sock')
describe CLAMAV_MLW ClamAV detected malware/phishing
priority CLAMAV_MLW 800
score CLAMAV_MLW 9.9
endif
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
