On 8/25/2016 7:06 PM, Alex wrote:
Hi,
Try this:
1) Enable OLE2BlockMacros and restart clamd
2) Use clamdscan to test your sample message and note the results
3) Disable OLE2BlockMacros and restart clamd
4) Use clamdscan to test your sample message again and note these results
Very constructive help, thank you. Here are the results with a file
that has a macro virus:
OLE2BlockMacros yes
[root@juggernaut ~]# clamdscan -c /etc/clamd.d/amavisd.conf --fdpass
/var/tmp/inv_5236420.doc
/var/tmp/inv_5236420.doc: Heuristics.OLE2.ContainsMacros FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.028 sec (0 m 0 s)
OLE2BlockMacros no
[root@juggernaut ~]# clamdscan -c /etc/clamd.d/amavisd.conf --fdpass
/var/tmp/inv_5236420.doc
/var/tmp/inv_5236420.doc: Sanesecurity.Badmacro.Doc.valloc.UNOFFICIAL FOUND
----------- SCAN SUMMARY -----------
Infected files: 1
Time: 0.272 sec (0 m 0 s)
This is with HeuristicScanPrecedence set to the default No, but it
appears to take precedence anyway, as the scan with OLE2BlockMacros
set to Yes only reports that macros were found, not that a virus was
found.
I'm wondering if the unofficial signatures are being given a lower
precedence than the official rules. Possibly the
HeuristicScanPrecedence setting is setting heuristics at a lower
precedence than the official rules, but still higher than the unofficial
ones.
Can anyone who knows more about the internals of ClamAV comment on this?
--
Bowie
_______________________________________________
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
