Re: [clamav-users] Understanding OLE2BlockMacros
Hi, >>> Try this: >>> 1) Enable OLE2BlockMacros and restart clamd >>> 2) Use clamdscan to test your sample message and note the results >>> 3) Disable OLE2BlockMacros and restart clamd >>> 4) Use clamdscan to test your sample message again and note these results Very constructive help, thank you. Here are the results with a file that has a macro virus: OLE2BlockMacros yes [root@juggernaut ~]# clamdscan -c /etc/clamd.d/amavisd.conf --fdpass /var/tmp/inv_5236420.doc /var/tmp/inv_5236420.doc: Heuristics.OLE2.ContainsMacros FOUND --- SCAN SUMMARY --- Infected files: 1 Time: 0.028 sec (0 m 0 s) OLE2BlockMacros no [root@juggernaut ~]# clamdscan -c /etc/clamd.d/amavisd.conf --fdpass /var/tmp/inv_5236420.doc /var/tmp/inv_5236420.doc: Sanesecurity.Badmacro.Doc.valloc.UNOFFICIAL FOUND --- SCAN SUMMARY --- Infected files: 1 Time: 0.272 sec (0 m 0 s) This is with HeuristicScanPrecedence set to the default No, but it appears to take precedence anyway, as the scan with OLE2BlockMacros set to Yes only reports that macros were found, not that a virus was found. The motivation for me wanting to do this is because of the large number of macro viruses that are received before patterns are available to tag them as viruses, so they are getting through. I'd like this information to be available from within amavisd/spamassassin, so I can add points, and otherwise manipulate the file to make a decision on whether to forward it. >> For example: >> http://sanesecurity.com/support/problems/ >> >> If the setting to block macros is enable in ClamAV and is actually >> hitting, >> it should hit with Heuristics.OLE2.ContainsMacros >> >> But.. I don't think amavisd-new has a virus_name_to_spam_score_maps for >> Heuristics.OLE2.ContainsMacros so, it might let the email through but >> just mark it, instead of blocking it? >> >> Eg... >> >> # [ qr’^Heuristics\.OLE2\.ContainsMacros’ >> => undef ],# keep as infected >> >> Does that change things? No, it doesn't change things. I tried commenting it all out then redoing the OLE2BlockMacros tests. I have previously added the following to my amavisd.conf: @virus_name_to_spam_score_maps = (new_RE( # the order matters, first match wins [ qr'^Heuristics.OLE2.ContainsMacros'=> 0.1 ], )); I've also created several spamassassin rules that work off of that, but in conjunction with the clamav settings, it was causing even the attachments with macro viruses to be forwarded on. Thanks, Alex ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
Am 25.08.2016 um 20:39 schrieb Alex: Maybe I should have stated my question more simply: What is the purpose of the OLE2BlockMacros option? What happens when it's set to "Yes"? every message with a attachment containing macros hit clamd What happens when it's set to "No"? every message with a attachments containing macros don't hit clamd as long it don't hit a specfic signature what's that difficult to understand? signature.asc Description: OpenPGP digital signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
On Thu, August 25, 2016 9:20 pm, Dennis Peterson wrote: >> I think the issue is that he wants to block recognized viruses, but >> only mark heuristic matches. >> > That would be a scoring task in Amavisd. > Maybe... # [ qr’^’^Heuristics\.OLE2\.ContainsMacros’ => 0.1 ], So, allocate a score and deliver use HeuristicScanPrecedence as indicated in earlier post Cheers, Steve Web : sanesecurity.com Twitter: @sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
On 8/25/2016 4:20 PM, Dennis Peterson wrote: On 8/25/16 1:10 PM, Bowie Bailey wrote: On 8/25/2016 3:10 PM, Steve Basford wrote: Try this: 1) Enable OLE2BlockMacros and restart clamd 2) Use clamdscan to test your sample message and note the results 3) Disable OLE2BlockMacros and restart clamd 4) Use clamdscan to test your sample message again and note these results Something else... In amavisd-new there are virus_name_to_spam_score_maps For example: http://sanesecurity.com/support/problems/ If the setting to block macros is enable in ClamAV and is actually hitting, it should hit with Heuristics.OLE2.ContainsMacros But.. I don't think amavisd-new has a virus_name_to_spam_score_maps for Heuristics.OLE2.ContainsMacros so, it might let the email through but just mark it, instead of blocking it? Eg... # [ qr’^Heuristics\.OLE2\.ContainsMacros’ => undef ],# keep as infected Does that change things? I think the issue is that he wants to block recognized viruses, but only mark heuristic matches. That would be a scoring task in Amavisd. Right, but the issue is that files that should have been blocked as viruses were instead marked and allowed through with heuristic matches. A previous poster may have hit on the right answer. If he has enabled HeuristicScanPrecedence in clamd.conf, that would explain this behavior. -- Bowie ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
On 8/25/16 1:10 PM, Bowie Bailey wrote: On 8/25/2016 3:10 PM, Steve Basford wrote: Try this: 1) Enable OLE2BlockMacros and restart clamd 2) Use clamdscan to test your sample message and note the results 3) Disable OLE2BlockMacros and restart clamd 4) Use clamdscan to test your sample message again and note these results Something else... In amavisd-new there are virus_name_to_spam_score_maps For example: http://sanesecurity.com/support/problems/ If the setting to block macros is enable in ClamAV and is actually hitting, it should hit with Heuristics.OLE2.ContainsMacros But.. I don't think amavisd-new has a virus_name_to_spam_score_maps for Heuristics.OLE2.ContainsMacros so, it might let the email through but just mark it, instead of blocking it? Eg... # [ qr’^Heuristics\.OLE2\.ContainsMacros’ => undef ],# keep as infected Does that change things? I think the issue is that he wants to block recognized viruses, but only mark heuristic matches. That would be a scoring task in Amavisd. dp ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
On 8/25/2016 3:10 PM, Steve Basford wrote: Try this: 1) Enable OLE2BlockMacros and restart clamd 2) Use clamdscan to test your sample message and note the results 3) Disable OLE2BlockMacros and restart clamd 4) Use clamdscan to test your sample message again and note these results Something else... In amavisd-new there are virus_name_to_spam_score_maps For example: http://sanesecurity.com/support/problems/ If the setting to block macros is enable in ClamAV and is actually hitting, it should hit with Heuristics.OLE2.ContainsMacros But.. I don't think amavisd-new has a virus_name_to_spam_score_maps for Heuristics.OLE2.ContainsMacros so, it might let the email through but just mark it, instead of blocking it? Eg... # [ qr’^Heuristics\.OLE2\.ContainsMacros’ => undef ],# keep as infected Does that change things? I think the issue is that he wants to block recognized viruses, but only mark heuristic matches. -- Bowie ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
> > Try this: > 1) Enable OLE2BlockMacros and restart clamd > 2) Use clamdscan to test your sample message and note the results > 3) Disable OLE2BlockMacros and restart clamd > 4) Use clamdscan to test your sample message again and note these results > > Something else... In amavisd-new there are virus_name_to_spam_score_maps For example: http://sanesecurity.com/support/problems/ If the setting to block macros is enable in ClamAV and is actually hitting, it should hit with Heuristics.OLE2.ContainsMacros But.. I don't think amavisd-new has a virus_name_to_spam_score_maps for Heuristics.OLE2.ContainsMacros so, it might let the email through but just mark it, instead of blocking it? Eg... # [ qr’^Heuristics\.OLE2\.ContainsMacros’ => undef ],# keep as infected Does that change things? Cheers, Steve Web : sanesecurity.com Twitter: @sanesecurity ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
On 8/25/2016 2:39 PM, Alex wrote: Hi, When this option is set to Yes, the emails are tagged, but even emails with macro virus attachments are forwarded on, not blocked problem is that you don't understand your mailsystem, clamd itself only hives back with signatures are hit and then the glue (amavis oder clamav-milter or something like that) makes decisions what happens with the message No, I understand my mail system. You are assuming I don't understand the mail system because it's easy for you to answer in that way rather than look at the whole context of the post. I never said that I expected clamav to actually block the viruses itself. Of course I understand amavisd is responsible for that. In case there was some confusion before, let it be known I understand clamav is not responsible for the destiny of the email. I'm talking about the clamav option OLE2BlockMacros option. This is a clamav option, not an amavis option. Maybe I should have stated my question more simply: What is the purpose of the OLE2BlockMacros option? What happens when it's set to "Yes"? What happens when it's set to "No"? What seems to be missing from this discussion is any kind of concrete troubleshooting. You say that when you enable OLE2BlockMacros that messages that should have been blocked by a third party signature are allowed through. Do you have one of those messages saved that you can test with? Try this: 1) Enable OLE2BlockMacros and restart clamd 2) Use clamdscan to test your sample message and note the results 3) Disable OLE2BlockMacros and restart clamd 4) Use clamdscan to test your sample message again and note these results This will show you the difference in the results with OLE2BlockMacros enabled vs disabled and may help in determining the problem. -- Bowie ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
In the source code for clamd this is found:
if(optget(opts, "ScanOLE2")->enabled) {
logg("OLE2 support enabled.\n");
options |= CL_SCAN_OLE2;
if(optget(opts, "OLE2BlockMacros")->enabled) {
logg("OLE2: Blocking all VBA macros.\n");
options |= CL_SCAN_BLOCKMACROS;
}
} else {
logg("OLE2 support disabled.\n");
}
It would appear the option, of set, returns a positive hit for any VBA macro.
This action also requires ScanOLE2 option be enabled (which is the default).
dp
On 8/25/16 11:39 AM, Alex wrote:
Hi,
When this option is set to Yes, the
emails are tagged, but even emails with macro virus attachments are
forwarded on, not blocked
problem is that you don't understand your mailsystem, clamd itself only
hives back with signatures are hit and then the glue (amavis oder
clamav-milter or something like that) makes decisions what happens with the
message
No, I understand my mail system. You are assuming I don't understand
the mail system because it's easy for you to answer in that way rather
than look at the whole context of the post. I never said that I
expected clamav to actually block the viruses itself. Of course I
understand amavisd is responsible for that. In case there was some
confusion before, let it be known I understand clamav is not
responsible for the destiny of the email.
I'm talking about the clamav option OLE2BlockMacros option. This is a
clamav option, not an amavis option.
Maybe I should have stated my question more simply:
What is the purpose of the OLE2BlockMacros option? What happens when
it's set to "Yes"? What happens when it's set to "No"?
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
On 8/25/2016 1:39 PM, Alex wrote: > Hi, > >>> When this option is set to Yes, the >>> emails are tagged, but even emails with macro virus attachments are >>> forwarded on, not blocked >> >> problem is that you don't understand your mailsystem, clamd itself only >> hives back with signatures are hit and then the glue (amavis oder >> clamav-milter or something like that) makes decisions what happens with the >> message > > No, I understand my mail system. You are assuming I don't understand > the mail system because it's easy for you to answer in that way rather > than look at the whole context of the post. I never said that I > expected clamav to actually block the viruses itself. Of course I > understand amavisd is responsible for that. In case there was some > confusion before, let it be known I understand clamav is not > responsible for the destiny of the email. > > I'm talking about the clamav option OLE2BlockMacros option. This is a > clamav option, not an amavis option. > > Maybe I should have stated my question more simply: > > What is the purpose of the OLE2BlockMacros option? What happens when > it's set to "Yes"? What happens when it's set to "No"? > ___ > Help us build a comprehensive ClamAV guide: > https://github.com/vrtadmin/clamav-faq > > http://www.clamav.net/contact.html#ml > Perhaps you missed this setting: # Allow heuristic match to take precedence. # When enabled, if a heuristic scan (such as phishingScan) detects # a possible virus/phish it will stop scan immediately. Recommended, saves CPU # scan-time. # When disabled, virus/phish detected by heuristic scans will be reported only at # the end of a scan. If an archive contains both a heuristically detected # virus/phish, and a real malware, the real malware will be reported # # Keep this disabled if you intend to handle "*.Heuristics.*" viruses # differently from "real" malware. # If a non-heuristically-detected virus (signature-based) is found first, # the scan is interrupted immediately, regardless of this config option. # # Default: no #HeuristicScanPrecedence yes ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
Hi, >> When this option is set to Yes, the >> emails are tagged, but even emails with macro virus attachments are >> forwarded on, not blocked > > problem is that you don't understand your mailsystem, clamd itself only > hives back with signatures are hit and then the glue (amavis oder > clamav-milter or something like that) makes decisions what happens with the > message No, I understand my mail system. You are assuming I don't understand the mail system because it's easy for you to answer in that way rather than look at the whole context of the post. I never said that I expected clamav to actually block the viruses itself. Of course I understand amavisd is responsible for that. In case there was some confusion before, let it be known I understand clamav is not responsible for the destiny of the email. I'm talking about the clamav option OLE2BlockMacros option. This is a clamav option, not an amavis option. Maybe I should have stated my question more simply: What is the purpose of the OLE2BlockMacros option? What happens when it's set to "Yes"? What happens when it's set to "No"? ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Understanding OLE2BlockMacros
Am 24.08.2016 um 21:37 schrieb Alex: It appears that using OLE2BlockMacros causes attachments with macros, viruses or not, to just be marked by amavis with the Heuristics.OLE2.ContainsMacros. However, when it's set it no longer blocks them but forwards them on. Is this the intended behavior? "Heuristics.OLE2.ContainsMacros" does excatly what th eoption says - it hits on attachments which contain *any* macro Is there no way to configure it to mark emails with macro attachments and block the ones with macro attachments with viruses? known viruses are hit by signatures and so on - the whole purpose of Heuristics is to hit one *unknown* incarnations I don't believe that's true we are far away from believing here When this option is set to Yes, the emails are tagged, but even emails with macro virus attachments are forwarded on, not blocked problem is that you don't understand your mailsystem, clamd itself only hives back with signatures are hit and then the glue (amavis oder clamav-milter or something like that) makes decisions what happens with the message this is NOT a clamav topic again: this is a amavis topic For example, yesterday there were hundreds of the Sanesecurity.Badmacro.Doc.valloc virus received. The system with OLE2BlockMacros enabled forwarded these on to the user, then fix your system which is *using* clamav on my spamassassin setup they hit clamd (one of 2 instances with different signatures and settings) and hence get 6.0 points - period signature.asc Description: OpenPGP digital signature ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
