Re: [clamav-users] No notice of OLE2.ContainsMacros
Am 21.12.2016 um 01:32 schrieb Mark Foley: I did not know about clamdscan! Thanks for that info. I've replaced clamscan with clamdscan in my script for 2 reasons: First, while clamscan with the --block-macros=yes switch did work for .doc[x|m] quarantined messaged, it found macro enabled .xls files to be OK -- clamd quarantined these as well. Therefore, clamdscan does a better job of finding these macro-enabled files. Secondly, clamdscan *will* use the /usr/local/etc/clamd.conf, so I have only one place to worry about config settings and it's magnitudes faster clamscan in combinaton with large 3rd party signatures is terrible slow because it needs to do the full initalization for every call - that's the same why you use spamd instead pipe every mail to a spamassassin call because your server will mostly spend it#s resources for startup stuff which can be long running ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] No notice of OLE2.ContainsMacros
On Tue, 20 Dec 2016 17:26:10 "G.W. Haywood" wrote: > To: clamav-users@lists.clamav.net > Subject: Re: [clamav-users] No notice of OLE2.ContainsMacros > > On Tue, 20 Dec 2016, Mark Foley wrote: > > > ... running clamscan --block-macros=yes does find the > > "ContainsMacros" notice. ... (if I specify --block-macros=yes, > > apparently the settings in /usr/local/etc/clamd.conf aren't used). > > Check the documentation. The settings in clamd.conf are for clamd. > They are never used by clamscan. They will be used by clamd when > is it responding to requests from clamdscan. Note the distinction > between clamscan and clamdscan. My clamscan documentation doesn't mention config files at all and the clamd doc doesn't explictly say its config *is not* used for other clamXX modules, so I didn't know for sure. I did not know about clamdscan! Thanks for that info. I've replaced clamscan with clamdscan in my script for 2 reasons: First, while clamscan with the --block-macros=yes switch did work for .doc[x|m] quarantined messaged, it found macro enabled .xls files to be OK -- clamd quarantined these as well. Therefore, clamdscan does a better job of finding these macro-enabled files. Secondly, clamdscan *will* use the /usr/local/etc/clamd.conf, so I have only one place to worry about config settings. Thanks! --Mark ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] No notice of OLE2.ContainsMacros
Hi there, On Tue, 20 Dec 2016, Mark Foley wrote: ... running clamscan --block-macros=yes does find the "ContainsMacros" notice. ... (if I specify --block-macros=yes, apparently the settings in /usr/local/etc/clamd.conf aren't used). Check the documentation. The settings in clamd.conf are for clamd. They are never used by clamscan. They will be used by clamd when is it responding to requests from clamdscan. Note the distinction between clamscan and clamdscan. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] No notice of OLE2.ContainsMacros
Ah ha! Some progress: # First, I'll extract the attachment: $ ripmime -v -i /var/spool/mqueue/dfuBJBh64e020058 Decoding filename=textfile0 Decoding filename=textfile1 Decoding filename=Payslip_Dec_2016_84286914.doc # try vanilla clamscan (nothing found): $ clamscan Payslip_Dec_2016_84286914.doc Payslip_Dec_2016_84286914.doc: OK --- SCAN SUMMARY --- Known viruses: 5314698 Engine version: 0.99.2 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.18 MB Data read: 0.03 MB (ratio 5.75:1) Time: 6.143 sec (0 m 6 s) 1 21:44:18 root@mail:~ # Next try with block-macros: $ clamscan --block-macros=yes Payslip_Dec_2016_84286914.doc Payslip_Dec_2016_84286914.doc: Heuristics.OLE2.ContainsMacros FOUND --- SCAN SUMMARY --- Known viruses: 5314698 Engine version: 0.99.2 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.01 MB Data read: 0.03 MB (ratio 0.25:1) Time: 5.380 sec (0 m 5 s) Extracting the attachment, then running clamscan --block-macros=yes does find the "ContainsMacros" notice. Also, reconstructing the email file using both header and data components as you've instructed also works (if I specify --block-macros=yes, apparently the settings in /usr/local/etc/clamd.conf aren't used). Too bad I cannot scan a email datafile directly as that is what is readily accesible when dealing with the quarantine queue. Perhaps something the clamav dev folk could look into some day. My best bet, then, is to extract the df file, then run clamscan on it directly. That's easier than reconsituting the email. Thanks for the help. That's what I was looking for! --Mark -Original Message- Date: Tue, 20 Dec 2016 07:26:29 +1000 (AEST) From: David Shrimpton <d.shrimp...@its.uq.edu.au> To: ClamAV users ML <clamav-users@lists.clamav.net> Subject: Re: [clamav-users] No notice of OLE2.ContainsMacros > $ clamscan -a -v -z --block-macros=yes /var/spool/mqueue/dfuBJBh64e020058 > Scanning /var/spool/mqueue/dfuBJBh64e020058 > /var/spool/mqueue/dfuBJBh64e020058: OK The dfuBJBh64e020058 file looks like a sendmail queue datafile, in which case it would have no email headers and contain only mime encoding eg base64 and just be a plain text file and not an email file to clamav, so scan negative. If you extract the email file from the queue files, or extract the Office file from the mime part in the df file and re-scan this may work. For sendmail quarantined queue file something like the following will extract the email file: cat hfuBJBh64e020058 dfuBJBh64e020058 > somefile Edit somefile to remove the unwanted lines down to the start of the email headers eg the first H??Received: , then remove H?? at start of lines and change the '.' on its own at the end to just a newline (to mark the end of headers) (Use qf instead of hf for a non quarantine queue file, but also bear in mind that queue processing by the mail daemon may be writing to a qf but not a hf file.) Rescan and clamav should recognize as email file and extract and scan any attachments. -- David Shrimpton ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] No notice of OLE2.ContainsMacros
> $ clamscan -a -v -z --block-macros=yes /var/spool/mqueue/dfuBJBh64e020058 > Scanning /var/spool/mqueue/dfuBJBh64e020058 > /var/spool/mqueue/dfuBJBh64e020058: OK The dfuBJBh64e020058 file looks like a sendmail queue datafile, in which case it would have no email headers and contain only mime encoding eg base64 and just be a plain text file and not an email file to clamav, so scan negative. If you extract the email file from the queue files, or extract the Office file from the mime part in the df file and re-scan this may work. For sendmail quarantined queue file something like the following will extract the email file: cat hfuBJBh64e020058 dfuBJBh64e020058 > somefile Edit somefile to remove the unwanted lines down to the start of the email headers eg the first H??Received: , then remove H?? at start of lines and change the '.' on its own at the end to just a newline (to mark the end of headers) (Use qf instead of hf for a non quarantine queue file, but also bear in mind that queue processing by the mail daemon may be writing to a qf but not a hf file.) Rescan and clamav should recognize as email file and extract and scan any attachments. -- David Shrimpton ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] No notice of OLE2.ContainsMacros [OT]
Sorry, I forgot to add: you cannot unsubscribe from the list
just by sending an email and adding in the body the word
'unsubscribe'.
The process involves sending an email to
"clamav-users-requ...@lists.clamav.net"
with the subject: unsubscribe
Well, you can also use the web interface:
http://lists.clamav.net/cgi-bin/mailman/options/clamav-users
Anyway.yes these random email which pop up here and there
are certainly confusing and quite annoying at this point, I would say.
Best regards,
Matteo
On 12/19/2016 04:18 PM, Mark Foley wrote:
Well, *that's* confusing! I suppose if I hadn't changed the subject line back to
my original subject my reply might have unsubscribed be as well.
Thanks for the clarification.
--Mark
-Original Message-
To: <clamav-users@lists.clamav.net>
From: Matteo Dessalvi <m.dessa...@gsi.de>
Date: Mon, 19 Dec 2016 16:15:37 +0100
Subject: Re: [clamav-users] No notice of OLE2.ContainsMacros [OT]
Mark, I believe it was not a suggestion. It often happens here that
a user which want to unsubscribe {him,her}self from the ClamAV
mailing list just reply to whatever message is crossing the list, asking
to be 'unsubscribed'.
Best regards,
Matteo
On 12/19/2016 04:05 PM, Mark Foley wrote:
Please elaborate a bit on your suggestion "unsubscrib". I don't understand.
--Mark
-Original Message-
Date: Mon, 19 Dec 2016 08:57:44 -0500 (EST)
From: "ca...@toursupply.com" <ca...@toursupply.com>
To: "ClamAV users ML" <clamav-users@lists.clamav.net>
Subject: [clamav-users] unsubscribe
unsubscribe
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
--
Matteo Dessalvi
Abteilung: HPC
Ort: SB2.4.109
Tel.: 06159-712030
Fax.: +49 6159 71 2986
E-Mail: m.dessa...@gsi.de
GSI Helmholtzzentrum für Schwerionenforschung GmbH
Planckstraße 1, 64291 Darmstadt, Germany, www.gsi.de
Gesellschaft mit beschränkter Haftung
Sitz der Gesellschaft: Darmstadt
Handelsregister: Amtsgericht Darmstadt, HRB 1528
Geschäftsführung:
Ursula Weyrich
Professor Dr. Karlheinz Langanke
Jörg Blaurock
Vorsitzende des Aufsichtsrates: St Dr. Georg Schütte
Stellvertreter: Ministerialdirigent Dr. Rolf Bernhardt
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] No notice of OLE2.ContainsMacros [OT]
Well, *that's* confusing! I suppose if I hadn't changed the subject line back to
my original subject my reply might have unsubscribed be as well.
Thanks for the clarification.
--Mark
-Original Message-
To: <clamav-users@lists.clamav.net>
From: Matteo Dessalvi <m.dessa...@gsi.de>
Date: Mon, 19 Dec 2016 16:15:37 +0100
Subject: Re: [clamav-users] No notice of OLE2.ContainsMacros [OT]
Mark, I believe it was not a suggestion. It often happens here that
a user which want to unsubscribe {him,her}self from the ClamAV
mailing list just reply to whatever message is crossing the list, asking
to be 'unsubscribed'.
Best regards,
Matteo
On 12/19/2016 04:05 PM, Mark Foley wrote:
> Please elaborate a bit on your suggestion "unsubscrib". I don't understand.
>
> --Mark
>
> -Original Message-
> Date: Mon, 19 Dec 2016 08:57:44 -0500 (EST)
> From: "ca...@toursupply.com" <ca...@toursupply.com>
> To: "ClamAV users ML" <clamav-users@lists.clamav.net>
> Subject: [clamav-users] unsubscribe
>
> unsubscribe
>
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
Re: [clamav-users] No notice of OLE2.ContainsMacros [OT]
Mark, I believe it was not a suggestion. It often happens here that
a user which want to unsubscribe {him,her}self from the ClamAV
mailing list just reply to whatever message is crossing the list, asking
to be 'unsubscribed'.
Best regards,
Matteo
On 12/19/2016 04:05 PM, Mark Foley wrote:
Please elaborate a bit on your suggestion "unsubscrib". I don't understand.
--Mark
-Original Message-
Date: Mon, 19 Dec 2016 08:57:44 -0500 (EST)
From: "ca...@toursupply.com"
To: "ClamAV users ML"
Subject: [clamav-users] unsubscribe
unsubscribe
___
clamav-users mailing list
clamav-users@lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
[clamav-users] No notice of OLE2.ContainsMacros
Please elaborate a bit on your suggestion "unsubscrib". I don't understand. --Mark -Original Message- Date: Mon, 19 Dec 2016 08:57:44 -0500 (EST) From: "ca...@toursupply.com" <ca...@toursupply.com> To: "ClamAV users ML" <clamav-users@lists.clamav.net> Subject: [clamav-users] unsubscribe unsubscribe -Original Message- From: "Mark Foley" <mfo...@novatec-inc.com> Sent: Monday, December 19, 2016 8:36am To: clamav-users@lists.clamav.net Subject: [clamav-users] No notice of OLE2.ContainsMacros Before I submit a bug report on this, I thought I'd see if any list members have ideas. I'm running clamav 0.99.2 on Linux Slackware64 14.1. I'm running clamav-milter for sendmail. I have "OLE2BlockMacros yes" set in /usr/local/etc/clamd.conf. This is working fine, I get: fd[10]: Heuristics.OLE2.ContainsMacros(fa7491778b806ca1fdc4a809ea3213d5:47944) FOUND in /var/log/clamd.log when it finds such macros, and the email is put in the quarantine mail queue. My problem is that when I run clamscan manually I can never see these files as having blocked macros. I've tried all the switch settings I can thing of, especially --block-macros=yes, but I get nothing, e.g.: $ clamscan -a -v -z --block-macros=yes /var/spool/mqueue/dfuBJBh64e020058 Scanning /var/spool/mqueue/dfuBJBh64e020058 /var/spool/mqueue/dfuBJBh64e020058: OK --- SCAN SUMMARY --- Known viruses: 5304016 Engine version: 0.99.2 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.09 MB Data read: 0.04 MB (ratio 2.00:1) Time: 5.775 sec (0 m 5 s) This message is in the quarantine mail queue and got there because clamav-milter/clamd found a macro -- which it logged in /var/log/clamd.log, but I cannot get clamscan to output any indiciation of this condition. I always get "Infected files: 0" -- nothing about macros. Is there something I can do, or is this just a bug? THX - Mark ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] No notice of OLE2.ContainsMacros
Before I submit a bug report on this, I thought I'd see if any list members have ideas. I'm running clamav 0.99.2 on Linux Slackware64 14.1. I'm running clamav-milter for sendmail. I have "OLE2BlockMacros yes" set in /usr/local/etc/clamd.conf. This is working fine, I get: fd[10]: Heuristics.OLE2.ContainsMacros(fa7491778b806ca1fdc4a809ea3213d5:47944) FOUND in /var/log/clamd.log when it finds such macros, and the email is put in the quarantine mail queue. My problem is that when I run clamscan manually I can never see these files as having blocked macros. I've tried all the switch settings I can thing of, especially --block-macros=yes, but I get nothing, e.g.: $ clamscan -a -v -z --block-macros=yes /var/spool/mqueue/dfuBJBh64e020058 Scanning /var/spool/mqueue/dfuBJBh64e020058 /var/spool/mqueue/dfuBJBh64e020058: OK --- SCAN SUMMARY --- Known viruses: 5304016 Engine version: 0.99.2 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.09 MB Data read: 0.04 MB (ratio 2.00:1) Time: 5.775 sec (0 m 5 s) This message is in the quarantine mail queue and got there because clamav-milter/clamd found a macro -- which it logged in /var/log/clamd.log, but I cannot get clamscan to output any indiciation of this condition. I always get "Infected files: 0" -- nothing about macros. Is there something I can do, or is this just a bug? THX - Mark ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
