Scott B. Anderson
sbanderson at impromed.com
Mon Feb 8 19:39:24 UTC 2016
How do you handle the new Office 97-05 trojan documents without macros that still contain Trojans that abuse the rtf 'engine' in office 2010/13/16 to root workstations without the .doc or .xls actually containing a macro? I had to outright block all of them both within Outlook using group policies and MailScanner using filename rules. (while still allowing docx and xlsx without macros)
From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Peter Lemieux
Sent: Monday, February 8, 2016 1:33 PM
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Subject: Re: Virus Parser
We use ClamAV to handle those files with macros. If you install a version of ClamAV alongside f-prot that provides the clamd server and configure MailScanner accordingly, you can change the directive in /etc/clamd.conf to read
then files with macros will be treated as malware. The macros will not be stripped though. The message will be quarantined by MailScanner like any other piece of malware. In the organization I consult to, ordinary users have no need of files with macros, so blocking them all is the easiest solution.
The recipient will get a notice that the message was quarantined, so you can pull the occasional legitimate file from there.
On 02/07/2016 07:17 PM, Moris Kod wrote:
> Where would one tweak the virus scanner parser for f-prot? I'm trying to get
> MailScanner to strip macros off of word and excel documents.
MailScanner mailing list
mailscanner at lists.mailscanner.info
Rely On Us.
Henry Schein Animal Health
More information about the MailScanner