Re: [Mimedefang] [External] MS Office document macros
On Sun, Jan 26, 2020 at 6:01 PM Kevin A. McGrail wrote: > > Do you have any rules using that plugin? Look at KAM.cf I forgot to score them... Sorry, my bad. It works fine now. Thanks, Vieri ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [External] MS Office document macros
On 1/26/2020 10:10 AM, Vieri Di Paola wrote: > On Sat, Jan 25, 2020 at 12:57 AM Kevin A. McGrail wrote: >> I'd suggest you look at SpamAssassin's new OLEVBMacro plugin with >> 3.4.3. > Nice to know spamassassin can block malicious macros in Office documents. > > However, I'm not sure why it's not working for me. Do you have any rules using that plugin? Look at KAM.cf https://mcgrail.com/downloads/KAM.cf Regards, KAM ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [External] MS Office document macros
On Sat, Jan 25, 2020 at 12:57 AM Kevin A. McGrail wrote: > I'd suggest you look at SpamAssassin's new OLEVBMacro plugin with > 3.4.3. Nice to know spamassassin can block malicious macros in Office documents. However, I'm not sure why it's not working for me. I have v. 3.4.3. # grep -r OLE /etc/mail/* /etc/mail/spamassassin/v343.pre:# OLEVBMacro - Detects both OLE macros and VB code inside Office documents /etc/mail/spamassassin/v343.pre:loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro # spamassassin -t t/data/spam/olevbmacro/malicemacro.eml outputs "...has NOT identified this incoming email as spam..." Likewise, the mimedefang code below does not trigger a spam notification: my($hits, $req, $names, $report) = spam_assassin_check(); my($score); if ($hits < 40) { $score = "*" x int($hits); } else { $score = "*" x 40; } In any case, I have a doc file with a malicious macro. I confirmed it through Trendmicro Antivirus and Google Gmail (both detect this file as containing a virus, supposedly EMOTET, but I haven't seen the Trendmicro log yet to confirm). I have an updated clamav engine with updated signatures. I even regularly download extra signturs from https://urlhaus.abuse.ch/downloads/urlhaus.ndb. I tried running "clamscan my_doc_file", but ClamAV keeps reporting that it's OK. Finally, I'm wondering if Mail::SpamAssassin::Plugin::OLEVBMacro can block/"mark as spam" all those messages that contain an attached Office file with macros, whether it's malicious or not. I know it's a harsh policy, but given the fact that my ClamAV installation is unable to detect a virus when there's supposed to be one, I'd rather go that route. Vieri ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [External] MS Office document macros
I use no MS products as all. > I use fpscan : ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [External] MS Office document macros
I use fpscan : EXTRA MACRO DISINFECTION OPTIONS Default is to remove only known malware macros. --macros_safe Remove all macros from infected documents. --macros_new Remove all macros from document when new variant is found. --stripallmacros Remove all macros from all documents. Regards Mack -Original Message- From: MIMEDefang [mailto:mimedefang-boun...@lists.roaringpenguin.com] On Behalf Of Vieri Di Paola Sent: 25 January 2020 00:16 To: Kevin A. McGrail Cc: mimedefang@lists.roaringpenguin.com Subject: Re: [Mimedefang] [External] MS Office document macros On Sat, Jan 25, 2020 at 12:57 AM Kevin A. McGrail wrote: > > I'd suggest you look at SpamAssassin's new OLEVBMacro plugin with > 3.4.3. There's an update to 3.4.4 coming with more blocks too. KAM.cf > has examples for implementation too. Thanks! ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang This Email Has Been Anti-Virus Scanned ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [External] MS Office document macros
Kevin A. McGrail skrev den 2020-01-25 00:57: I'd suggest you look at SpamAssassin's new OLEVBMacro plugin with 3.4.3. There's an update to 3.4.4 coming with more blocks too. KAM.cf has examples for implementation too. why not add clamav plugin to spamassassin then ? :=) ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [External] MS Office document macros
On Sat, Jan 25, 2020 at 12:57 AM Kevin A. McGrail wrote: > > I'd suggest you look at SpamAssassin's new OLEVBMacro plugin with > 3.4.3. There's an update to 3.4.4 coming with more blocks too. KAM.cf > has examples for implementation too. Thanks! ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] [External] MS Office document macros
On 1/24/2020 6:22 PM, Vieri Di Paola wrote: > Has anyone tried to detect and block e-mails with MS Office documents > that contain macros? > Something like this: https://github.com/sbidy/MacroMilter > Hi Vieri, I'd suggest you look at SpamAssassin's new OLEVBMacro plugin with 3.4.3. There's an update to 3.4.4 coming with more blocks too. KAM.cf has examples for implementation too. Regards,KAM ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang