Rulesets for documents with OLE2 macros

Peter Lemieux mailscanner at
Fri Aug 14 03:02:21 UTC 2015

We've enabled OLE2BlockMacros in clamd.conf so clamd will reject any message 
with an attached MS Office document containing macros.  My client's office was 
infected when someone unwittingly ran a macro in a Trojan horse document.  The 
client has since globally disabled peoples' ability to run Office macros, but 
we still want to block these documents just in case.

Blocked messages create log entries like these:

MailScanner[4652]: Clamd::INFECTED:: Heuristics.OLE2.ContainsMacros :: 

These messages are treated as viruses by MailScanner since clamd reports them 
as infected.  However the logs indicate MailScanner knows this "infection" is 
an OLE2 macro violation.

Currently if we want to exempt senders from the OLE2 restriction, we need to 
whitelist them from virus scanning entirely.  Is there was a way to create a 
rule that keys on clamd returning the "ContainsMacros" string and permits or 
blocks the message based on a ruleset?


More information about the MailScanner mailing list