Virus Parser

[Scott B. Anderson]

How do you handle the new Office 97-05 trojan documents without macros that still contain Trojans that abuse the rtf 'engine' in office 2010/13/16 to root workstations without the .doc or .xls actually containing a macro?  I had to outright block all of them both within Outlook using group policies and MailScanner using filename rules.  (while still allowing docx and xlsx without macros)

Scott


-----Original Message-----
From: MailScanner [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Peter Lemieux
Sent: Monday, February 8, 2016 1:33 PM
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Subject: Re: Virus Parser

We use ClamAV to handle those files with macros.  If you install a version of ClamAV alongside f-prot that provides the clamd server and configure MailScanner accordingly, you can change the directive in /etc/clamd.conf to read

ScanOLE2 yes
OLE2BlockMacros yes

then files with macros will be treated as malware.  The macros will not be stripped though.  The message will be quarantined by MailScanner like any other piece of malware.  In the organization I consult to, ordinary users have no need of files with macros, so blocking them all is the easiest solution. 
The recipient will get a notice that the message was quarantined, so you can pull the occasional legitimate file from there.

Peter


On 02/07/2016 07:17 PM, Moris Kod wrote:
> Where would one tweak the virus scanner parser for f-prot?   I'm trying to get
> MailScanner to strip macros off of word and excel documents.


--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/listinfo/mailscanner


-- 
Rely On Us.
ImproMed LLC
Henry Schein Animal Health
--