Hi, >>>> Is there any ability to determine if a particular attachment has a >>>> Word macro enclosed in addition to just having a Word document? >>> >>> >>> that's the hob of clamav and the sa-plugin for it >>> >>> "OLE2BlockMacros yes" in case of a scored SA plugin won't block but add >>> the >>> score of that clamd-instance, for unconditional block of other things you >>> typically have a calmd-instance with different config running as >>> unconditional milter >> >> >> Yeah, that's unacceptable to me. >> >> I can't accept obscuring whether a particular attachment has a macro >> virus and instead just be notified only that it has a macro. That's >> effectively saying it's necessary to outright block all macros or risk >> allowing attachments with macro viruses to be passed unencumbered. >> >> I was looking for another way to link macros with spamassassin, as the >> amavisd/clamd approach is broken. > > > The reality of the world is: > 1) block/quarantine/encumber/tag all documents that have a macro. > 2) allow them thru unencumbered and risk delivering documents that might > have a macro virus.
That won't work. I can't tell my users they can no longer receive a significant percentage of Word documents any longer. > I assume that you already have an AV that will block/quarantine -known- > macro viruses. Yes, clamav, and sophos, but sophos sucks worse than clamav. > You say "that's unacceptable to me" > What is 'acceptable' to you? Unless you find some magical prescient > anti-virus that can accurately predict all possible macro viruses with out > FPs I don't know what else can be done. No, you're not understanding the specific problem. The problem (with clamav) is that it can identify macro viruses and block them (through spamd/amavisd/whatever) or it can identify files that have macros (which may or may not be viruses) and let them pass or categorically reject/block them. It can't identify files that have macros separately from files that have macro viruses. Further, F-Secure has a much better rate of success with blocking macro viruses than clamav or sophos, based on this same email being passed on to another system managed by a popular antispam company before being forwarded on to its final destination.