<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Lato;
panose-1:2 15 5 2 2 2 4 3 2 3;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman",serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Lato",sans-serif;
color:#404040;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri",sans-serif;color:#8A8A8A'><br></span><span style='font-size:11.0pt;font-family:"Lato",sans-serif;color:#404040;mso-fareast-language:EN-US'>Your rule should work. Are you using tabs?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Lato",sans-serif;color:#404040;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Lato",sans-serif;color:#404040;mso-fareast-language:EN-US'>For example this should work – <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Lato",sans-serif;color:#404040;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Lato",sans-serif;color:#404040;mso-fareast-language:EN-US'>From: somegoodsender@domain.com and To: *@mydomain.com no<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Lato",sans-serif;color:#404040;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'>From:</span></b><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri",sans-serif'> MailScanner [mailto:mailscanner-bounces+richard=fastnet.co.uk@lists.mailscanner.info] <b>On Behalf Of </b>Support<br><b>Sent:</b> Monday, June 12, 2017 21:26<br><b>To:</b> mailscanner@lists.mailscanner.info<br><b>Subject:</b> Rule set question, to bypass ClamAV<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black'>Hi there, <o:p></o:p></span></p><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black'><o:p> </o:p></span></p><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black'>My 1st post.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black'>Is it possible somehow to use a sender <-> recipient combination in the scan.messages.rules or virus.scanning.rules? I tried things like 'From: <a href="mailto:safe_sender@safe_domain.com">safe_sender@safe_domain.com</a> and To:trusted_recipient@example.com' but that didn't work.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black'>I want to do this to block all macro's in ClamAv for all users (or can this be user controlled??), while disabling virus scanning for users that need Office macro's. Or is there another way to allow macro's for some specific sender, recipient and/or the combination?<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black'>To my exprience most ransom ware originates from Office documents with macro's. Seems ClamAV even with all UnOfficial SIGS does not detect m all. Or does someone has a 100% catch ratio?<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black'>Any ideas welcome.<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black'>Grtz,<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black'>Ronald<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Tahoma",sans-serif;color:black'><o:p> </o:p></span></p></div></div></div></div></body></html>