Ah ha! Some progress: # First, I'll extract the attachment: $ ripmime -v -i /var/spool/mqueue/dfuBJBh64e020058 Decoding filename=textfile0 Decoding filename=textfile1 Decoding filename=Payslip_Dec_2016_84286914.doc
# try vanilla clamscan (nothing found): $ clamscan Payslip_Dec_2016_84286914.doc Payslip_Dec_2016_84286914.doc: OK ----------- SCAN SUMMARY ----------- Known viruses: 5314698 Engine version: 0.99.2 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.18 MB Data read: 0.03 MB (ratio 5.75:1) Time: 6.143 sec (0 m 6 s) 1 21:44:18 root@mail:~ # Next try with block-macros: $ clamscan --block-macros=yes Payslip_Dec_2016_84286914.doc Payslip_Dec_2016_84286914.doc: Heuristics.OLE2.ContainsMacros FOUND ----------- SCAN SUMMARY ----------- Known viruses: 5314698 Engine version: 0.99.2 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.01 MB Data read: 0.03 MB (ratio 0.25:1) Time: 5.380 sec (0 m 5 s) Extracting the attachment, then running clamscan --block-macros=yes does find the "ContainsMacros" notice. Also, reconstructing the email file using both header and data components as you've instructed also works (if I specify --block-macros=yes, apparently the settings in /usr/local/etc/clamd.conf aren't used). Too bad I cannot scan a email datafile directly as that is what is readily accesible when dealing with the quarantine queue. Perhaps something the clamav dev folk could look into some day. My best bet, then, is to extract the df file, then run clamscan on it directly. That's easier than reconsituting the email. Thanks for the help. That's what I was looking for! --Mark -----Original Message----- Date: Tue, 20 Dec 2016 07:26:29 +1000 (AEST) From: David Shrimpton <d.shrimp...@its.uq.edu.au> To: ClamAV users ML <clamav-users@lists.clamav.net> Subject: Re: [clamav-users] No notice of OLE2.ContainsMacros > $ clamscan -a -v -z --block-macros=yes /var/spool/mqueue/dfuBJBh64e020058 > Scanning /var/spool/mqueue/dfuBJBh64e020058 > /var/spool/mqueue/dfuBJBh64e020058: OK The dfuBJBh64e020058 file looks like a sendmail queue datafile, in which case it would have no email headers and contain only mime encoding eg base64 and just be a plain text file and not an email file to clamav, so scan negative. If you extract the email file from the queue files, or extract the Office file from the mime part in the df file and re-scan this may work. For sendmail quarantined queue file something like the following will extract the email file: cat hfuBJBh64e020058 dfuBJBh64e020058 > somefile Edit somefile to remove the unwanted lines down to the start of the email headers eg the first H??Received: , then remove H?? at start of lines and change the '.' on its own at the end to just a newline (to mark the end of headers) (Use qf instead of hf for a non quarantine queue file, but also bear in mind that queue processing by the mail daemon may be writing to a qf but not a hf file.) Rescan and clamav should recognize as email file and extract and scan any attachments. -- David Shrimpton _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml _______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
