Rulesets for documents with OLE2 macros
Peter Lemieux
mailscanner at replies.cyways.com
Fri Aug 14 03:02:21 UTC 2015
We've enabled OLE2BlockMacros in clamd.conf so clamd will reject any message
with an attached MS Office document containing macros. My client's office was
infected when someone unwittingly ran a macro in a Trojan horse document. The
client has since globally disabled peoples' ability to run Office macros, but
we still want to block these documents just in case.
Blocked messages create log entries like these:
MailScanner[4652]: Clamd::INFECTED:: Heuristics.OLE2.ContainsMacros ::
./t7DDKoxE006712/AccountDocuments.doc
These messages are treated as viruses by MailScanner since clamd reports them
as infected. However the logs indicate MailScanner knows this "infection" is
an OLE2 macro violation.
Currently if we want to exempt senders from the OLE2 restriction, we need to
whitelist them from virus scanning entirely. Is there was a way to create a
rule that keys on clamd returning the "ContainsMacros" string and permits or
blocks the message based on a ruleset?
Peter
More information about the MailScanner
mailing list