Re: [clamav-users] Understanding OLE2BlockMacros

[David Shrimpton]

HeuristicScanPrecedence No is broken with OLE2BlockMacros Yes.
It only applies to signatures being run against uncompressed macros.

If there is a hit on one of those signatures , that signature hit is returned
and not Heuristics.OLE2.ContainsMacros.
Otherwise  Heuristics.OLE2.ContainsMacros is returned and no other signatures
are tried.  This disables all the official and unofficial signatures
that are not written again uncompressed macros , which is effectively all
of them.   There are few or no official signatures for  macro viruses.
The official signatures are of little value in protecting against macro
viruses.  Commercial antivirus products are also of little value particularly
against 'zero day' exploits.   Submit every new macro virus file you identify
to one of the web based A/V scanning services that use multiple vendors
products , if you do not believe this.  One well known vendor
sometimes responds to a submissions of macro virus docs advising they
are only interested in the downloaded malware not the doc that downloads it.

Re unofficial sigs , there are few or no unofficial signatures written against
uncompressed macros.  These signatures are not targeting the code 
and obfuscations being used by virus writers.  You may have more success
writing your own signatures based on macro code seen in viruses.
As the code is often re-used , signatures written against macro code
may provide better 'zero day' protection than other signatures eg
unofficial or official ones. 

I think the main usefulness of clamav is not as an off
the shelf  A/V product whether supplemented by
unofficial signature or not , but as a tool for implementing 
your own A/V ideas.  If you implement your own signatures you will also
have control over the aggressiveness of those signatures with respect to
false positive, which you will not have with official or unofficial signatures.
Overly aggressive signatures  might however 
make sharing signatures a dis-service.

It is worthwhile exercise to decode some examples from any 
unofficial signature database before using it and form your
own opinion about the likelyhood of false positive.

As the unofficial and official signatures are written after new viruses arrive
they are generally too late to be of use in 'zero day' attacks.

If you don't implement your own signatures against macro code, 
setting OLE2BlockMacros Yes effectively causes Heuristics.OLE2.ContainsMacros
to be returned and disables all official and unofficial signatures.
If OLE2BlockMacros is Yes then the only option is to treat every
file with macros as a virus and eg discard if you want to block the files
that do contain a macro virus.

It might be argued that files with macros should be treated similarly
to any other executeables shipped in email from outside your
organization and discarded if that is your policy.

Note , clamav returns the first signature hit unless -z option is used.
The OLE2 signatures are run before any other signatures so
OLE2BlockMacros Yes , causes Heuristics.OLE2.ContainsMacros to be returned
first and all other signatures that are not against uncompressed macros
are ignored.  You only get one signature back and that is the first one
hit, which may be a 'soft' signature ie one you mightn't discard
an email on, such as Heuristics.OLE2.ContainsMacros,
even though 'hard' signatures official or unofficial might also have hit
if they had been run later .

One useful strategy may be to combine the Heuristics.OLE2.ContainsMacros
 with other information from an email and discard files containing macros
that are probably viruses eg invoices and resumes.  

The Heuristics.OLE2.ContainsMacros hits are arguably more useful in
identifying potential macro viruses than is turning OLE2BlockMacros off
and using the unofficial and official signatures.

Clamav -z option is also broken for OLE2BlockMacros Yes and
HeuristicScanPrecedence No.   Only signatures matching uncompressed macros
and Heuristics.OLE2.ContainsMacros are returned.   All other official
and unofficial signatures are ignored so not all the signatures that would
match are returned.  This is a bug/limitation.  Logically 
HeuristicScanPrecedence should be ignored with -z.

If clamav -z returned all the matches you could implement 
a "quality of service" type scheme
and parse all the returned signature hits including 
Heuristics.OLE2.ContainsMacros and prioritize the results 
eg discard if a 'real' virus
or just add a warning if only Heuristics.OLE2.ContainsMacros
was returned.  Or you could treat unofficial hits with more caution
eg add warning only and official hits more aggressively eg discard.
But -z is broken with OLE2 ,so you must decide to use OLE2BlockMacros
and not official/unofficial signatures or not use OLE2BlockMacros.



-- 
David Shrimpton
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Understanding OLE2BlockMacros

[Bowie Bailey]

On 8/25/2016 7:06 PM, Alex wrote:

Hi,


Try this:
1) Enable OLE2BlockMacros and restart clamd
2) Use clamdscan to test your sample message and note the results
3) Disable OLE2BlockMacros and restart clamd
4) Use clamdscan to test your sample message again and note these results

Very constructive help, thank you. Here are the results with a file
that has a macro virus:

OLE2BlockMacros yes
[root@juggernaut ~]# clamdscan -c /etc/clamd.d/amavisd.conf --fdpass
/var/tmp/inv_5236420.doc
/var/tmp/inv_5236420.doc: Heuristics.OLE2.ContainsMacros FOUND


 --- SCAN SUMMARY ---
Infected files: 1
Time: 0.028 sec (0 m 0 s)

OLE2BlockMacros no
[root@juggernaut ~]# clamdscan -c /etc/clamd.d/amavisd.conf --fdpass
/var/tmp/inv_5236420.doc
/var/tmp/inv_5236420.doc: Sanesecurity.Badmacro.Doc.valloc.UNOFFICIAL FOUND

--- SCAN SUMMARY ---
Infected files: 1
Time: 0.272 sec (0 m 0 s)

This is with HeuristicScanPrecedence set to the default No, but it
appears to take precedence anyway, as the scan with OLE2BlockMacros
set to Yes only reports that macros were found, not that a virus was
found.


I'm wondering if the unofficial signatures are being given a lower 
precedence than the official rules.  Possibly the 
HeuristicScanPrecedence setting is setting heuristics at a lower 
precedence than the official rules, but still higher than the unofficial 
ones.


Can anyone who knows more about the internals of ClamAV comment on this?

--
Bowie
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Understanding OLE2BlockMacros

[Alex]

Hi,

>>> Try this:
>>> 1) Enable OLE2BlockMacros and restart clamd
>>> 2) Use clamdscan to test your sample message and note the results
>>> 3) Disable OLE2BlockMacros and restart clamd
>>> 4) Use clamdscan to test your sample message again and note these results

Very constructive help, thank you. Here are the results with a file
that has a macro virus:

OLE2BlockMacros yes
[root@juggernaut ~]# clamdscan -c /etc/clamd.d/amavisd.conf --fdpass
/var/tmp/inv_5236420.doc
/var/tmp/inv_5236420.doc: Heuristics.OLE2.ContainsMacros FOUND


--- SCAN SUMMARY ---
Infected files: 1
Time: 0.028 sec (0 m 0 s)

OLE2BlockMacros no
[root@juggernaut ~]# clamdscan -c /etc/clamd.d/amavisd.conf --fdpass
/var/tmp/inv_5236420.doc
/var/tmp/inv_5236420.doc: Sanesecurity.Badmacro.Doc.valloc.UNOFFICIAL FOUND

--- SCAN SUMMARY ---
Infected files: 1
Time: 0.272 sec (0 m 0 s)

This is with HeuristicScanPrecedence set to the default No, but it
appears to take precedence anyway, as the scan with OLE2BlockMacros
set to Yes only reports that macros were found, not that a virus was
found.

The motivation for me wanting to do this is because of the large
number of macro viruses that are received before patterns are
available to tag them as viruses, so they are getting through. I'd
like this information to be available from within
amavisd/spamassassin, so I can add points, and otherwise manipulate
the file to make a decision on whether to forward it.

>> For example:
>> http://sanesecurity.com/support/problems/
>>
>> If the setting to block macros is enable in ClamAV and is actually
>> hitting,
>> it should hit with Heuristics.OLE2.ContainsMacros
>>
>> But.. I don't think amavisd-new has a virus_name_to_spam_score_maps for
>> Heuristics.OLE2.ContainsMacros so, it might let the email through but
>> just mark it, instead of blocking it?
>>
>> Eg...
>>
>> # [ qr’^Heuristics\.OLE2\.ContainsMacros’
>> => undef ],# keep as infected
>>
>> Does that change things?

No, it doesn't change things. I tried commenting it all out then
redoing the OLE2BlockMacros tests. I have previously added the
following to my amavisd.conf:

@virus_name_to_spam_score_maps =
  (new_RE(  # the order matters, first match wins
[ qr'^Heuristics.OLE2.ContainsMacros'=> 0.1 ],
  ));

I've also created several spamassassin rules that work off of that,
but in conjunction with the clamav settings, it was causing even the
attachments with macro viruses to be forwarded on.

Thanks,
Alex
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Understanding OLE2BlockMacros

[Reindl Harald]

Am 25.08.2016 um 20:39 schrieb Alex:

Maybe I should have stated my question more simply:

What is the purpose of the OLE2BlockMacros option? What happens when
it's set to "Yes"?


every message with a attachment containing macros hit clamd


What happens when it's set to "No"?


every message with a attachments containing macros don't hit clamd as 
long it don't hit a specfic signature


what's that difficult to understand?




signature.asc
Description: OpenPGP digital signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Understanding OLE2BlockMacros

[Steve Basford]

On Thu, August 25, 2016 9:20 pm, Dennis Peterson wrote:

>> I think the issue is that he wants to block recognized viruses, but
>> only mark heuristic matches.
>>
> That would be a scoring task in Amavisd.
>

Maybe...

# [ qr’^’^Heuristics\.OLE2\.ContainsMacros’  => 0.1 ],

So, allocate a score and deliver

use HeuristicScanPrecedence as indicated in earlier post

Cheers,

Steve
Web : sanesecurity.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Understanding OLE2BlockMacros

[Bowie Bailey]

On 8/25/2016 4:20 PM, Dennis Peterson wrote:

On 8/25/16 1:10 PM, Bowie Bailey wrote:

On 8/25/2016 3:10 PM, Steve Basford wrote:

Try this:
1) Enable OLE2BlockMacros and restart clamd
2) Use clamdscan to test your sample message and note the results
3) Disable OLE2BlockMacros and restart clamd
4) Use clamdscan to test your sample message again and note these 
results




Something else...

In amavisd-new there are virus_name_to_spam_score_maps

For example:
http://sanesecurity.com/support/problems/

If the setting to block macros is enable in ClamAV and is actually 
hitting,

it should hit with Heuristics.OLE2.ContainsMacros

But.. I don't think amavisd-new has a virus_name_to_spam_score_maps for
Heuristics.OLE2.ContainsMacros so, it might let the email through but
just mark it, instead of blocking it?

Eg...

# [ qr’^Heuristics\.OLE2\.ContainsMacros’
=> undef ],# keep as infected

Does that change things?


I think the issue is that he wants to block recognized viruses, but 
only mark heuristic matches.



That would be a scoring task in Amavisd.


Right, but the issue is that files that should have been blocked as 
viruses were instead marked and allowed through with heuristic matches.  
A previous poster may have hit on the right answer.  If he has enabled 
HeuristicScanPrecedence in clamd.conf, that would explain this behavior.


--
Bowie
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Understanding OLE2BlockMacros

[Dennis Peterson]

On 8/25/16 1:10 PM, Bowie Bailey wrote:

On 8/25/2016 3:10 PM, Steve Basford wrote:

Try this:
1) Enable OLE2BlockMacros and restart clamd
2) Use clamdscan to test your sample message and note the results
3) Disable OLE2BlockMacros and restart clamd
4) Use clamdscan to test your sample message again and note these results



Something else...

In amavisd-new there are virus_name_to_spam_score_maps

For example:
http://sanesecurity.com/support/problems/

If the setting to block macros is enable in ClamAV and is actually hitting,
it should hit with Heuristics.OLE2.ContainsMacros

But.. I don't think amavisd-new has a virus_name_to_spam_score_maps for
Heuristics.OLE2.ContainsMacros so, it might let the email through but
just mark it, instead of blocking it?

Eg...

# [ qr’^Heuristics\.OLE2\.ContainsMacros’
=> undef ],# keep as infected

Does that change things?


I think the issue is that he wants to block recognized viruses, but only mark 
heuristic matches.



That would be a scoring task in Amavisd.


dp

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Understanding OLE2BlockMacros

[Bowie Bailey]

On 8/25/2016 3:10 PM, Steve Basford wrote:

Try this:
1) Enable OLE2BlockMacros and restart clamd
2) Use clamdscan to test your sample message and note the results
3) Disable OLE2BlockMacros and restart clamd
4) Use clamdscan to test your sample message again and note these results



Something else...

In amavisd-new there are virus_name_to_spam_score_maps

For example:
http://sanesecurity.com/support/problems/

If the setting to block macros is enable in ClamAV and is actually hitting,
it should hit with Heuristics.OLE2.ContainsMacros

But.. I don't think amavisd-new has a virus_name_to_spam_score_maps for
Heuristics.OLE2.ContainsMacros so, it might let the email through but
just mark it, instead of blocking it?

Eg...

# [ qr’^Heuristics\.OLE2\.ContainsMacros’
=> undef ],# keep as infected

Does that change things?


I think the issue is that he wants to block recognized viruses, but only 
mark heuristic matches.


--
Bowie
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Understanding OLE2BlockMacros

[Steve Basford]

>
> Try this:
> 1) Enable OLE2BlockMacros and restart clamd
> 2) Use clamdscan to test your sample message and note the results
> 3) Disable OLE2BlockMacros and restart clamd
> 4) Use clamdscan to test your sample message again and note these results
>
>
Something else...

In amavisd-new there are virus_name_to_spam_score_maps

For example:
http://sanesecurity.com/support/problems/

If the setting to block macros is enable in ClamAV and is actually hitting,
it should hit with Heuristics.OLE2.ContainsMacros

But.. I don't think amavisd-new has a virus_name_to_spam_score_maps for
Heuristics.OLE2.ContainsMacros so, it might let the email through but
just mark it, instead of blocking it?

Eg...

# [ qr’^Heuristics\.OLE2\.ContainsMacros’   
=> undef ],# keep as infected

Does that change things?

Cheers,

Steve
Web : sanesecurity.com
Twitter: @sanesecurity

___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Understanding OLE2BlockMacros

[Bowie Bailey]

On 8/25/2016 2:39 PM, Alex wrote:

Hi,


When this option is set to Yes, the
emails are tagged, but even emails with macro virus attachments are
forwarded on, not blocked

problem is that you don't understand your mailsystem, clamd itself only
hives back with signatures are hit and then the glue (amavis oder
clamav-milter or something like that) makes decisions what happens with the
message

No, I understand my mail system. You are assuming I don't understand
the mail system because it's easy for you to answer in that way rather
than look at the whole context of the post. I never said that I
expected clamav to actually block the viruses itself. Of course I
understand amavisd is responsible for that. In case there was some
confusion before, let it be known I understand clamav is not
responsible for the destiny of the email.

I'm talking about the clamav option OLE2BlockMacros option. This is a
clamav option, not an amavis option.

Maybe I should have stated my question more simply:

What is the purpose of the OLE2BlockMacros option? What happens when
it's set to "Yes"? What happens when it's set to "No"?


What seems to be missing from this discussion is any kind of concrete 
troubleshooting.


You say that when you enable OLE2BlockMacros that messages that should 
have been blocked by a third party signature are allowed through.  Do 
you have one of those messages saved that you can test with?


Try this:
1) Enable OLE2BlockMacros and restart clamd
2) Use clamdscan to test your sample message and note the results
3) Disable OLE2BlockMacros and restart clamd
4) Use clamdscan to test your sample message again and note these results

This will show you the difference in the results with OLE2BlockMacros 
enabled vs disabled and may help in determining the problem.


--
Bowie
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Understanding OLE2BlockMacros

[Dennis Peterson]

In the source code for clamd this is found:

if(optget(opts, "ScanOLE2")->enabled) {
logg("OLE2 support enabled.\n");
options |= CL_SCAN_OLE2;
if(optget(opts, "OLE2BlockMacros")->enabled) {
logg("OLE2: Blocking all VBA macros.\n");
options |= CL_SCAN_BLOCKMACROS;
}
} else {
logg("OLE2 support disabled.\n");
}


It would appear the option, of set, returns a positive hit for any VBA macro. 
This action also requires ScanOLE2 option be enabled (which is the default).


dp

On 8/25/16 11:39 AM, Alex wrote:

Hi,


When this option is set to Yes, the
emails are tagged, but even emails with macro virus attachments are
forwarded on, not blocked

problem is that you don't understand your mailsystem, clamd itself only
hives back with signatures are hit and then the glue (amavis oder
clamav-milter or something like that) makes decisions what happens with the
message

No, I understand my mail system. You are assuming I don't understand
the mail system because it's easy for you to answer in that way rather
than look at the whole context of the post. I never said that I
expected clamav to actually block the viruses itself. Of course I
understand amavisd is responsible for that. In case there was some
confusion before, let it be known I understand clamav is not
responsible for the destiny of the email.

I'm talking about the clamav option OLE2BlockMacros option. This is a
clamav option, not an amavis option.

Maybe I should have stated my question more simply:

What is the purpose of the OLE2BlockMacros option? What happens when
it's set to "Yes"? What happens when it's set to "No"?
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Understanding OLE2BlockMacros

[Noel Jones]

On 8/25/2016 1:39 PM, Alex wrote:
> Hi,
> 
>>> When this option is set to Yes, the
>>> emails are tagged, but even emails with macro virus attachments are
>>> forwarded on, not blocked
>>
>> problem is that you don't understand your mailsystem, clamd itself only
>> hives back with signatures are hit and then the glue (amavis oder
>> clamav-milter or something like that) makes decisions what happens with the
>> message
> 
> No, I understand my mail system. You are assuming I don't understand
> the mail system because it's easy for you to answer in that way rather
> than look at the whole context of the post. I never said that I
> expected clamav to actually block the viruses itself. Of course I
> understand amavisd is responsible for that. In case there was some
> confusion before, let it be known I understand clamav is not
> responsible for the destiny of the email.
> 
> I'm talking about the clamav option OLE2BlockMacros option. This is a
> clamav option, not an amavis option.
> 
> Maybe I should have stated my question more simply:
> 
> What is the purpose of the OLE2BlockMacros option? What happens when
> it's set to "Yes"? What happens when it's set to "No"?
> ___
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
> 
> http://www.clamav.net/contact.html#ml
> 


Perhaps you missed this setting:

# Allow heuristic match to take precedence.
# When enabled, if a heuristic scan (such as phishingScan) detects
# a possible virus/phish it will stop scan immediately. Recommended,
saves CPU
# scan-time.
# When disabled, virus/phish detected by heuristic scans will be
reported only at
# the end of a scan. If an archive contains both a heuristically
detected
# virus/phish, and a real malware, the real malware will be reported
#
# Keep this disabled if you intend to handle "*.Heuristics.*" viruses
# differently from "real" malware.
# If a non-heuristically-detected virus (signature-based) is found
first,
# the scan is interrupted immediately, regardless of this config option.
#
# Default: no
#HeuristicScanPrecedence yes



___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Understanding OLE2BlockMacros

[Alex]

Hi,

>> When this option is set to Yes, the
>> emails are tagged, but even emails with macro virus attachments are
>> forwarded on, not blocked
>
> problem is that you don't understand your mailsystem, clamd itself only
> hives back with signatures are hit and then the glue (amavis oder
> clamav-milter or something like that) makes decisions what happens with the
> message

No, I understand my mail system. You are assuming I don't understand
the mail system because it's easy for you to answer in that way rather
than look at the whole context of the post. I never said that I
expected clamav to actually block the viruses itself. Of course I
understand amavisd is responsible for that. In case there was some
confusion before, let it be known I understand clamav is not
responsible for the destiny of the email.

I'm talking about the clamav option OLE2BlockMacros option. This is a
clamav option, not an amavis option.

Maybe I should have stated my question more simply:

What is the purpose of the OLE2BlockMacros option? What happens when
it's set to "Yes"? What happens when it's set to "No"?
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Understanding OLE2BlockMacros

[Reindl Harald]

Am 24.08.2016 um 21:37 schrieb Alex:

It appears that using OLE2BlockMacros causes attachments with macros,
viruses or not, to just be marked by amavis with the
Heuristics.OLE2.ContainsMacros. However, when it's set it no longer
blocks them but forwards them on.

Is this the intended behavior?


"Heuristics.OLE2.ContainsMacros" does excatly what th eoption says - it hits
on attachments which contain *any* macro


Is there no way to configure it to mark emails with macro attachments
and block the ones with macro attachments with viruses?


known viruses are hit by signatures and so on - the whole purpose of
Heuristics is to hit one *unknown* incarnations


I don't believe that's true


we are far away from believing here


When this option is set to Yes, the
emails are tagged, but even emails with macro virus attachments are
forwarded on, not blocked


problem is that you don't understand your mailsystem, clamd itself only 
hives back with signatures are hit and then the glue (amavis oder 
clamav-milter or something like that) makes decisions what happens with 
the message


this is NOT a clamav topic
again: this is a amavis topic


For example, yesterday there were hundreds
of the Sanesecurity.Badmacro.Doc.valloc virus received. The system
with OLE2BlockMacros enabled forwarded these on to the user,


then fix your system which is *using* clamav

on my spamassassin setup they hit clamd (one of 2 instances with 
different signatures and settings) and hence get 6.0 points - period




signature.asc
Description: OpenPGP digital signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Understanding OLE2BlockMacros

[Dennis Peterson]

ClamAV has no part in tagging, forwarding, or deleting. It simply tells the 
calling process what the result of the scan was. It is left to the calling 
process to deal with it per local policy.


dp

On 8/24/16 12:37 PM, Alex wrote:

Hi,


It appears that using OLE2BlockMacros causes attachments with macros,
viruses or not, to just be marked by amavis with the
Heuristics.OLE2.ContainsMacros. However, when it's set it no longer
blocks them but forwards them on.

Is this the intended behavior?

"Heuristics.OLE2.ContainsMacros" does excatly what th eoption says - it hits
on attachments which contain *any* macro


Is there no way to configure it to mark emails with macro attachments
and block the ones with macro attachments with viruses?

known viruses are hit by signatures and so on - the whole purpose of
Heuristics is to hit one *unknown* incarnations

I don't believe that's true. When this option is set to Yes, the
emails are tagged, but even emails with macro virus attachments are
forwarded on, not blocked. For example, yesterday there were hundreds
of the Sanesecurity.Badmacro.Doc.valloc virus received. The system
with OLE2BlockMacros enabled forwarded these on to the user, bypassing
the scanning entirely. The systems with OLE2BlockMacros disabled
caught every one of the valloc viruses and prevented them from being
forwarded on to the users.

I have the following setting in amavis:

@virus_name_to_spam_score_maps =
   (new_RE(  # the order matters, first match wins
 [ qr'^Heuristics.OLE2.ContainsMacros'=> 1.1 ],
   ));

However, I expect that this is for emails which have macro
attachments, and like you say, unknown whether they are viruses. I
would never expect an email with a virus attachment to be forwarded on
unless I'm explicitly requesting that.

Please don't send me to the amavis list - there must be someone who
uses both clamav and amavis that understands what's happening here.
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml



___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Understanding OLE2BlockMacros

[Kris Deugau]

Alex wrote:
> Please don't send me to the amavis list - there must be someone who
> uses both clamav and amavis that understands what's happening here.

Much like SpamAssassin, Clamav in and of itself can only say "Matched
signature " or "Triggered heuristic test ", or "Didn't match
anything".

It's up to whatever is calling Clam to decide what to do with that result.

Many common integration methods for both are simple enough that they
don't have any way of postprocessing the result from SA or Clam (and
therefore treat those results as go/no-go flags), but AFAIK amavis
should be able to give you more flexibility - something best asked about
on the amavis users list.

-kgd
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Understanding OLE2BlockMacros

[Alex]

Hi,

>> It appears that using OLE2BlockMacros causes attachments with macros,
>> viruses or not, to just be marked by amavis with the
>> Heuristics.OLE2.ContainsMacros. However, when it's set it no longer
>> blocks them but forwards them on.
>>
>> Is this the intended behavior?
>
> "Heuristics.OLE2.ContainsMacros" does excatly what th eoption says - it hits
> on attachments which contain *any* macro
>
>> Is there no way to configure it to mark emails with macro attachments
>> and block the ones with macro attachments with viruses?
>
> known viruses are hit by signatures and so on - the whole purpose of
> Heuristics is to hit one *unknown* incarnations

I don't believe that's true. When this option is set to Yes, the
emails are tagged, but even emails with macro virus attachments are
forwarded on, not blocked. For example, yesterday there were hundreds
of the Sanesecurity.Badmacro.Doc.valloc virus received. The system
with OLE2BlockMacros enabled forwarded these on to the user, bypassing
the scanning entirely. The systems with OLE2BlockMacros disabled
caught every one of the valloc viruses and prevented them from being
forwarded on to the users.

I have the following setting in amavis:

@virus_name_to_spam_score_maps =
  (new_RE(  # the order matters, first match wins
[ qr'^Heuristics.OLE2.ContainsMacros'=> 1.1 ],
  ));

However, I expect that this is for emails which have macro
attachments, and like you say, unknown whether they are viruses. I
would never expect an email with a virus attachment to be forwarded on
unless I'm explicitly requesting that.

Please don't send me to the amavis list - there must be someone who
uses both clamav and amavis that understands what's happening here.
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Understanding OLE2BlockMacros

[Reindl Harald]

Am 24.08.2016 um 18:12 schrieb Alex:

I'm using clamav on fedora23 with amavisd-new and would like to tag
each email that contains macros with Heuristics.OLE2.ContainsMacros.
I've enabled OLE2BlockMacros, but it appears it actually lets them
through instead of blocking them outright when this setting is made.

What is the proper configuration of clamav to tag all emails with
macro attachments with Heuristics.OLE2.ContainsMacros as well as block
those emails with attachments that contain macro viruses?


clamav don't block or tag anything - that's better suited as a question at
the amavisd-new list, however normally you raise the score to a level where
amavisd-new or spamassassin starts to tag


I'm using clamav with amavis to block them outright.

It appears that using OLE2BlockMacros causes attachments with macros,
viruses or not, to just be marked by amavis with the
Heuristics.OLE2.ContainsMacros. However, when it's set it no longer
blocks them but forwards them on.

Is this the intended behavior?


"Heuristics.OLE2.ContainsMacros" does excatly what th eoption says - it 
hits on attachments which contain *any* macro



Is there no way to configure it to mark emails with macro attachments
and block the ones with macro attachments with viruses?


known viruses are hit by signatures and so on - the whole purpose of 
Heuristics is to hit one *unknown* incarnations




signature.asc
Description: OpenPGP digital signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Understanding OLE2BlockMacros

[Alex]

Hi,

>> I'm using clamav on fedora23 with amavisd-new and would like to tag
>> each email that contains macros with Heuristics.OLE2.ContainsMacros.
>> I've enabled OLE2BlockMacros, but it appears it actually lets them
>> through instead of blocking them outright when this setting is made.
>>
>> What is the proper configuration of clamav to tag all emails with
>> macro attachments with Heuristics.OLE2.ContainsMacros as well as block
>> those emails with attachments that contain macro viruses?
>
> clamav don't block or tag anything - that's better suited as a question at
> the amavisd-new list, however normally you raise the score to a level where
> amavisd-new or spamassassin starts to tag

I'm using clamav with amavis to block them outright.

It appears that using OLE2BlockMacros causes attachments with macros,
viruses or not, to just be marked by amavis with the
Heuristics.OLE2.ContainsMacros. However, when it's set it no longer
blocks them but forwards them on.

Is this the intended behavior?

Is there no way to configure it to mark emails with macro attachments
and block the ones with macro attachments with viruses?
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml

Re: [clamav-users] Understanding OLE2BlockMacros

[Reindl Harald]

Am 24.08.2016 um 01:14 schrieb Alex:

I'm using clamav on fedora23 with amavisd-new and would like to tag
each email that contains macros with Heuristics.OLE2.ContainsMacros.
I've enabled OLE2BlockMacros, but it appears it actually lets them
through instead of blocking them outright when this setting is made.

What is the proper configuration of clamav to tag all emails with
macro attachments with Heuristics.OLE2.ContainsMacros as well as block
those emails with attachments that contain macro viruses?


clamav don't block or tag anything - that's better suited as a question 
at the amavisd-new list, however normally you raise the score to a level 
where amavisd-new or spamassassin starts to tag

___

example of NON-AMAVIS setup with a non.default SA-plugin

cat /etc/mail/spamassassin/clamav.cf
ifplugin Mail::SpamAssassin::Plugin::ClamAV
 full  CLAMAV_JNK  eval:check_clamav('/run/clamd/clamd-sa.sock')
 describe  CLAMAV_JNK  ClamAV detected malware/phishing/junk
 priority  CLAMAV_JNK  800
 score CLAMAV_JNK  6.0

 full  CLAMAV_MLW  eval:check_clamav('/run/clamd/clamd.sock')
 describe  CLAMAV_MLW  ClamAV detected malware/phishing
 priority  CLAMAV_MLW  800
 score CLAMAV_MLW  9.9
endif



signature.asc
Description: OpenPGP digital signature
___
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq

http://www.clamav.net/contact.html#ml