Re: [clamav-users] No notice of OLE2.ContainsMacros
Am 21.12.2016 um 01:32 schrieb Mark Foley: I did not know about clamdscan! Thanks for that info. I've replaced clamscan with clamdscan in my script for 2 reasons: First, while clamscan with the --block-macros=yes switch did work for .doc[x|m] quarantined messaged, it found macro enabled .xls files to be OK -- clamd quarantined these as well. Therefore, clamdscan does a better job of finding these macro-enabled files. Secondly, clamdscan *will* use the /usr/local/etc/clamd.conf, so I have only one place to worry about config settings and it's magnitudes faster clamscan in combinaton with large 3rd party signatures is terrible slow because it needs to do the full initalization for every call - that's the same why you use spamd instead pipe every mail to a spamassassin call because your server will mostly spend it#s resources for startup stuff which can be long running ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] No notice of OLE2.ContainsMacros
On Tue, 20 Dec 2016 17:26:10 "G.W. Haywood" wrote: > To: clamav-users@lists.clamav.net > Subject: Re: [clamav-users] No notice of OLE2.ContainsMacros > > On Tue, 20 Dec 2016, Mark Foley wrote: > > > ... running clamscan --block-macros=yes does find the > > "ContainsMacros" notice. ... (if I specify --block-macros=yes, > > apparently the settings in /usr/local/etc/clamd.conf aren't used). > > Check the documentation. The settings in clamd.conf are for clamd. > They are never used by clamscan. They will be used by clamd when > is it responding to requests from clamdscan. Note the distinction > between clamscan and clamdscan. My clamscan documentation doesn't mention config files at all and the clamd doc doesn't explictly say its config *is not* used for other clamXX modules, so I didn't know for sure. I did not know about clamdscan! Thanks for that info. I've replaced clamscan with clamdscan in my script for 2 reasons: First, while clamscan with the --block-macros=yes switch did work for .doc[x|m] quarantined messaged, it found macro enabled .xls files to be OK -- clamd quarantined these as well. Therefore, clamdscan does a better job of finding these macro-enabled files. Secondly, clamdscan *will* use the /usr/local/etc/clamd.conf, so I have only one place to worry about config settings. Thanks! --Mark ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] No notice of OLE2.ContainsMacros
Hi there, On Tue, 20 Dec 2016, Mark Foley wrote: ... running clamscan --block-macros=yes does find the "ContainsMacros" notice. ... (if I specify --block-macros=yes, apparently the settings in /usr/local/etc/clamd.conf aren't used). Check the documentation. The settings in clamd.conf are for clamd. They are never used by clamscan. They will be used by clamd when is it responding to requests from clamdscan. Note the distinction between clamscan and clamdscan. -- 73, Ged. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] No notice of OLE2.ContainsMacros
Ah ha! Some progress: # First, I'll extract the attachment: $ ripmime -v -i /var/spool/mqueue/dfuBJBh64e020058 Decoding filename=textfile0 Decoding filename=textfile1 Decoding filename=Payslip_Dec_2016_84286914.doc # try vanilla clamscan (nothing found): $ clamscan Payslip_Dec_2016_84286914.doc Payslip_Dec_2016_84286914.doc: OK --- SCAN SUMMARY --- Known viruses: 5314698 Engine version: 0.99.2 Scanned directories: 0 Scanned files: 1 Infected files: 0 Data scanned: 0.18 MB Data read: 0.03 MB (ratio 5.75:1) Time: 6.143 sec (0 m 6 s) 1 21:44:18 root@mail:~ # Next try with block-macros: $ clamscan --block-macros=yes Payslip_Dec_2016_84286914.doc Payslip_Dec_2016_84286914.doc: Heuristics.OLE2.ContainsMacros FOUND --- SCAN SUMMARY --- Known viruses: 5314698 Engine version: 0.99.2 Scanned directories: 0 Scanned files: 1 Infected files: 1 Data scanned: 0.01 MB Data read: 0.03 MB (ratio 0.25:1) Time: 5.380 sec (0 m 5 s) Extracting the attachment, then running clamscan --block-macros=yes does find the "ContainsMacros" notice. Also, reconstructing the email file using both header and data components as you've instructed also works (if I specify --block-macros=yes, apparently the settings in /usr/local/etc/clamd.conf aren't used). Too bad I cannot scan a email datafile directly as that is what is readily accesible when dealing with the quarantine queue. Perhaps something the clamav dev folk could look into some day. My best bet, then, is to extract the df file, then run clamscan on it directly. That's easier than reconsituting the email. Thanks for the help. That's what I was looking for! --Mark -Original Message- Date: Tue, 20 Dec 2016 07:26:29 +1000 (AEST) From: David Shrimpton <d.shrimp...@its.uq.edu.au> To: ClamAV users ML <clamav-users@lists.clamav.net> Subject: Re: [clamav-users] No notice of OLE2.ContainsMacros > $ clamscan -a -v -z --block-macros=yes /var/spool/mqueue/dfuBJBh64e020058 > Scanning /var/spool/mqueue/dfuBJBh64e020058 > /var/spool/mqueue/dfuBJBh64e020058: OK The dfuBJBh64e020058 file looks like a sendmail queue datafile, in which case it would have no email headers and contain only mime encoding eg base64 and just be a plain text file and not an email file to clamav, so scan negative. If you extract the email file from the queue files, or extract the Office file from the mime part in the df file and re-scan this may work. For sendmail quarantined queue file something like the following will extract the email file: cat hfuBJBh64e020058 dfuBJBh64e020058 > somefile Edit somefile to remove the unwanted lines down to the start of the email headers eg the first H??Received: , then remove H?? at start of lines and change the '.' on its own at the end to just a newline (to mark the end of headers) (Use qf instead of hf for a non quarantine queue file, but also bear in mind that queue processing by the mail daemon may be writing to a qf but not a hf file.) Rescan and clamav should recognize as email file and extract and scan any attachments. -- David Shrimpton ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] No notice of OLE2.ContainsMacros
> $ clamscan -a -v -z --block-macros=yes /var/spool/mqueue/dfuBJBh64e020058 > Scanning /var/spool/mqueue/dfuBJBh64e020058 > /var/spool/mqueue/dfuBJBh64e020058: OK The dfuBJBh64e020058 file looks like a sendmail queue datafile, in which case it would have no email headers and contain only mime encoding eg base64 and just be a plain text file and not an email file to clamav, so scan negative. If you extract the email file from the queue files, or extract the Office file from the mime part in the df file and re-scan this may work. For sendmail quarantined queue file something like the following will extract the email file: cat hfuBJBh64e020058 dfuBJBh64e020058 > somefile Edit somefile to remove the unwanted lines down to the start of the email headers eg the first H??Received: , then remove H?? at start of lines and change the '.' on its own at the end to just a newline (to mark the end of headers) (Use qf instead of hf for a non quarantine queue file, but also bear in mind that queue processing by the mail daemon may be writing to a qf but not a hf file.) Rescan and clamav should recognize as email file and extract and scan any attachments. -- David Shrimpton ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] No notice of OLE2.ContainsMacros [OT]
Sorry, I forgot to add: you cannot unsubscribe from the list just by sending an email and adding in the body the word 'unsubscribe'. The process involves sending an email to "clamav-users-requ...@lists.clamav.net" with the subject: unsubscribe Well, you can also use the web interface: http://lists.clamav.net/cgi-bin/mailman/options/clamav-users Anyway.yes these random email which pop up here and there are certainly confusing and quite annoying at this point, I would say. Best regards, Matteo On 12/19/2016 04:18 PM, Mark Foley wrote: Well, *that's* confusing! I suppose if I hadn't changed the subject line back to my original subject my reply might have unsubscribed be as well. Thanks for the clarification. --Mark -Original Message- To: <clamav-users@lists.clamav.net> From: Matteo Dessalvi <m.dessa...@gsi.de> Date: Mon, 19 Dec 2016 16:15:37 +0100 Subject: Re: [clamav-users] No notice of OLE2.ContainsMacros [OT] Mark, I believe it was not a suggestion. It often happens here that a user which want to unsubscribe {him,her}self from the ClamAV mailing list just reply to whatever message is crossing the list, asking to be 'unsubscribed'. Best regards, Matteo On 12/19/2016 04:05 PM, Mark Foley wrote: Please elaborate a bit on your suggestion "unsubscrib". I don't understand. --Mark -Original Message- Date: Mon, 19 Dec 2016 08:57:44 -0500 (EST) From: "ca...@toursupply.com" <ca...@toursupply.com> To: "ClamAV users ML" <clamav-users@lists.clamav.net> Subject: [clamav-users] unsubscribe unsubscribe ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml -- Matteo Dessalvi Abteilung: HPC Ort: SB2.4.109 Tel.: 06159-712030 Fax.: +49 6159 71 2986 E-Mail: m.dessa...@gsi.de GSI Helmholtzzentrum für Schwerionenforschung GmbH Planckstraße 1, 64291 Darmstadt, Germany, www.gsi.de Gesellschaft mit beschränkter Haftung Sitz der Gesellschaft: Darmstadt Handelsregister: Amtsgericht Darmstadt, HRB 1528 Geschäftsführung: Ursula Weyrich Professor Dr. Karlheinz Langanke Jörg Blaurock Vorsitzende des Aufsichtsrates: St Dr. Georg Schütte Stellvertreter: Ministerialdirigent Dr. Rolf Bernhardt ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] No notice of OLE2.ContainsMacros [OT]
Well, *that's* confusing! I suppose if I hadn't changed the subject line back to my original subject my reply might have unsubscribed be as well. Thanks for the clarification. --Mark -Original Message- To: <clamav-users@lists.clamav.net> From: Matteo Dessalvi <m.dessa...@gsi.de> Date: Mon, 19 Dec 2016 16:15:37 +0100 Subject: Re: [clamav-users] No notice of OLE2.ContainsMacros [OT] Mark, I believe it was not a suggestion. It often happens here that a user which want to unsubscribe {him,her}self from the ClamAV mailing list just reply to whatever message is crossing the list, asking to be 'unsubscribed'. Best regards, Matteo On 12/19/2016 04:05 PM, Mark Foley wrote: > Please elaborate a bit on your suggestion "unsubscrib". I don't understand. > > --Mark > > -Original Message- > Date: Mon, 19 Dec 2016 08:57:44 -0500 (EST) > From: "ca...@toursupply.com" <ca...@toursupply.com> > To: "ClamAV users ML" <clamav-users@lists.clamav.net> > Subject: [clamav-users] unsubscribe > > unsubscribe > ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] No notice of OLE2.ContainsMacros [OT]
Mark, I believe it was not a suggestion. It often happens here that a user which want to unsubscribe {him,her}self from the ClamAV mailing list just reply to whatever message is crossing the list, asking to be 'unsubscribed'. Best regards, Matteo On 12/19/2016 04:05 PM, Mark Foley wrote: Please elaborate a bit on your suggestion "unsubscrib". I don't understand. --Mark -Original Message- Date: Mon, 19 Dec 2016 08:57:44 -0500 (EST) From: "ca...@toursupply.com"To: "ClamAV users ML" Subject: [clamav-users] unsubscribe unsubscribe ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml