Rule set question, to bypass ClamAV

[Richard Mealing]

Your rule should work. Are you using tabs?

For example this should work -

From:           somegoodsender at domain.com    and     To:     *@mydomain.com      no

From: MailScanner [mailto:mailscanner-bounces+richard=fastnet.co.uk at lists.mailscanner.info] On Behalf Of Support
Sent: Monday, June 12, 2017 21:26
To: mailscanner at lists.mailscanner.info
Subject: Rule set question, to bypass ClamAV

Hi there,

My 1st post.

Is it possible somehow to use a sender <-> recipient combination in the scan.messages.rules or virus.scanning.rules? I tried things like 'From: safe_sender at safe_domain.com<mailto:safe_sender at safe_domain.com> and To:trusted_recipient at example.com' but that didn't work.

I want to do this to block all macro's in ClamAv for all users (or can this be user controlled??), while disabling virus scanning for users that need Office macro's. Or is there another way to allow macro's for some specific sender, recipient and/or the combination?

To my exprience most ransom ware originates from Office documents with macro's. Seems ClamAV even with all UnOfficial SIGS does not detect m all. Or does someone has a 100% catch ratio?

Any ideas welcome.

Grtz,
Ronald

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20170613/fc07565b/attachment.html>