On Sat, Jan 25, 2020 at 12:57 AM Kevin A. McGrail wrote:
> I'd suggest you look at SpamAssassin's new OLEVBMacro plugin with
> 3.4.3.
Nice to know spamassassin can block malicious macros in Office documents.
However, I'm not sure why it's not working for me.
I have v. 3.4.3.
# grep -r OLE /etc/mail/*
/etc/mail/spamassassin/v343.pre:# OLEVBMacro - Detects both OLE macros
and VB code inside Office documents
/etc/mail/spamassassin/v343.pre:loadplugin
Mail::SpamAssassin::Plugin::OLEVBMacro
# spamassassin -t t/data/spam/olevbmacro/malicemacro.eml
outputs "...has NOT identified this incoming email as spam..."
Likewise, the mimedefang code below does not trigger a spam notification:
my($hits, $req, $names, $report) = spam_assassin_check();
my($score);
if ($hits < 40) {
$score = "*" x int($hits);
} else {
$score = "*" x 40;
}
In any case, I have a doc file with a malicious macro. I confirmed it
through Trendmicro Antivirus and Google Gmail (both detect this file
as containing a virus, supposedly EMOTET, but I haven't seen the
Trendmicro log yet to confirm).
I have an updated clamav engine with updated signatures. I even
regularly download extra signturs from
https://urlhaus.abuse.ch/downloads/urlhaus.ndb.
I tried running "clamscan my_doc_file", but ClamAV keeps reporting that it's OK.
Finally, I'm wondering if Mail::SpamAssassin::Plugin::OLEVBMacro can
block/"mark as spam" all those messages that contain an attached
Office file with macros, whether it's malicious or not. I know it's a
harsh policy, but given the fact that my ClamAV installation is unable
to detect a virus when there's supposed to be one, I'd rather go that
route.
Vieri
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
