Re: [clamav-users] CryLocker and Cryptolocker

2016-09-15 Thread Kris Deugau 
Matus UHLAR - fantomas wrote:
> On 15.09.16 00:51, Reindl Harald wrote:
>> frankly i have seen companies blocking every .doc and .xls attachment
>> with a reject info that you should use .docx and .xslx becasue they
>> can't contain macros (would be .docm for the new formats)
> 
> .docm is docx with macros, so they would want to block them too :-)

... and there's nothing stopping a malicious sender (human or program)
from misrepresenting a document to bypass filename-based filters.

-kgd
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Suggestion: Need option to "Block Skipped Files" and Scan Summary to indicate "Skipped files"

2016-09-15 Thread Steven Morgan 
Hi,

There will be an option --block-max (clamd - BlockMax) in ClamAV 0.99.3.

Steve

On Thu, Sep 15, 2016 at 1:44 AM, Andy Schmidt 
wrote:

> Hi,
>
>
>
> I didn't know if I was supposed to use the "Bug Reporting" system, as this
> really is reporting an issue with how the software operates "as designed".
>
>
>
> Currently, ClamAV will indicate whether an infected file was found - THAT
> condition is non-ambiguous.
>
>
>
> However, when ClamAV reports:
>
>
>
> --- SCAN SUMMARY ---
>
> Infected files: 0
>
>
>
> It actually can be highly misleading.
>
>
>
> If one of the scanned files exceeded some of the limits, such as:
>
>
>
> MaxScanSize 150M
>
> MaxFileSize 150M
>
> #MaxRecursion 16
>
> #MaxFiles 1
>
> then the actual "infected" status of that file is completely unknown! The
> end-user has no warning that the file was NOT virus-scanned!
>
> May I respectfully suggest:
>
> a)A config option "BlockSkipped yes"
> (equivalent to the already existing "ArchiveBlockEncrypted yes".
> This way, the user can opt to receive a specific message indicating which
> limit prevented a file from being scanned, rather than being "lulled" into
> thinking that everything is "A-OK".
> An automated process that incorporate ClamAV would be able to take a
> different path, e.g., require the user to scrutinize the file more
> carefully.
>
>
>
> b)An appropriate line in the SCAN SUMMARY, e.g.:
> --- SCAN SUMMARY ---
> Infected files: 0
> Skipped files: 1
> Time: 1.610 sec (0 m 1 s)
>
> Thank for giving this suggestion your consideration.
>
> Best Regards
> Andy Schmidt
>
>
>
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] CryLocker and Cryptolocker

2016-09-15 Thread Reindl Harald 



Am 15.09.2016 um 10:12 schrieb Matus UHLAR - fantomas:

Am 14.09.2016 um 17:47 schrieb Alex:

The problem with setting OLE2BlockMacros to yes is that if you don't
implement your own signatures against macro code, setting
OLE2BlockMacros Yes effectively causes Heuristics.OLE2.ContainsMacros
to be returned and disables all official and unofficial signatures.
If OLE2BlockMacros is Yes then the only option is to treat every file
with macros as a virus and eg discard if you want to block the files
that do contain a macro virus, as outlined by David Shrimpton on this
list a few weeks ago


On 15.09.16 00:51, Reindl Harald wrote:

which is the whole point

it's impossible to get them all catched with sgnatures because they
change all the time and so if you want to be sure you need to treat
every office macro as bad - they don't belong into emails these days

frankly i have seen companies blocking every .doc and .xls attachment
with a reject info that you should use .docx and .xslx becasue they
can't contain macros (would be .docm for the new formats)


.docm is docx with macros, so they would want to block them too :-)


did i say anything else?

i just pointed out that people even start to block FILETYPES which 
*could* contain macros

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] CryLocker and Cryptolocker

2016-09-15 Thread Matus UHLAR - fantomas 

Am 14.09.2016 um 17:47 schrieb Alex:

The problem with setting OLE2BlockMacros to yes is that if you don't
implement your own signatures against macro code, setting
OLE2BlockMacros Yes effectively causes Heuristics.OLE2.ContainsMacros
to be returned and disables all official and unofficial signatures.
If OLE2BlockMacros is Yes then the only option is to treat every file
with macros as a virus and eg discard if you want to block the files
that do contain a macro virus, as outlined by David Shrimpton on this
list a few weeks ago


On 15.09.16 00:51, Reindl Harald wrote:

which is the whole point

it's impossible to get them all catched with sgnatures because they 
change all the time and so if you want to be sure you need to treat 
every office macro as bad - they don't belong into emails these days


frankly i have seen companies blocking every .doc and .xls attachment 
with a reject info that you should use .docx and .xslx becasue they 
can't contain macros (would be .docm for the new formats)


.docm is docx with macros, so they would want to block them too :-)
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml