Hi all, These targeted macro viruses are killing us. I hoped someone would like to take a shot at suggestions on how to stop these.
http://pastebin.com/FTzbQcHb The Heuristics.OLE2.ContainsMacros rule is added by amavisd+clamav, but it's apparently not something that spamassassin can manipulate once it's been added. In other words, it can't be used in a meta or to make spam/ham decisions, only add to the existing score. Is there a spamassassin rule that identifies attachments with macros in them? What strategy are other people using to block zero-day macro viruses? You'll notice the attachment still isn't being detected by clamav proper (no surprise, really), and was only just now submitted to Steve at sanesecurity. It appears some companies are quarantining any files with macros in them for some period of time until they can be deconstructed and analyzed (sandbox, etc). Are any SA users doing that? I'm sure I could build a body rule, but that's kind of playing whack-a-mole. I wondered what more general solutions people had that might detect/block these. Body rules are also welcomed, of course. Thanks, Alex
