Giovanni Bechis <giova...@paclan.it> writes: > On 7/3/19 7:11 PM, Riccardo Alfieri wrote: >> On 03/07/19 17:59, atat wrote: >> >>> You say in documentation: >>> >>> You should also drop, by default, all Office documents with macros. >>> >>> What plugin / method do You reccomend for that ? >> >> I'm no expert in detecting macros, but there at least two ways of doing that >> that comes to mind: >> >> - Clamav with the option OLE2BlockMacros
Reading up on OLE2BlockMacros in clamav, I'm very confused by https://www.mail-archive.com/clamav-users@lists.clamav.net/msg42671.html Specifically: Setting 'OLE2BlockMacros Yes' effectively causes 'Heuristics.OLE2.ContainsMacros' to be returned, and disables all official and unofficial signatures. When 'OLE2BlockMacros Yes' this causes 'Heuristics.OLE2.ContainsMacros' to be returned first and all other signatures that are not against uncompressed macros are ignored. You only get one signature back and that is the first one hit, which may be a 'soft' signature ie one you mightn't discard an email on, such as Heuristics.OLE2.ContainsMacros, even though 'hard' signatures official or unofficial might also have hit if they had been run later . > This has been superseded by > https://svn.apache.org/repos/asf/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/OLEMacro.pm > the plugin is for trunk but it works out of the box in 3.4.3rc3 as well (some > work is needed to let it work on 3.4.2) Can't these be blocked at the MTA level to be much more CPU friendly? -- micah