On 02/19/2015 06:25 PM, Alex Regan wrote:
Hi,
I use amavis-new and block based on file type. My users should never
get legit executables via email, so they are sent to a quarantine.
Unfortunately, we're finding those simple-minded rules are running out
of gas. :( We've seen a zip file conta
Hi,
I use amavis-new and block based on file type. My users should never
get legit executables via email, so they are sent to a quarantine.
Unfortunately, we're finding those simple-minded rules are running out
of gas. :( We've seen a zip file containing an Excel spreadsheet
with a macro vir
Am 19.02.2015 um 16:13 schrieb Matteo Dessalvi:
I am just curious, since I am using SaneSecurity
signatures too.
According to: http://sanesecurity.com/usage/signatures/
some of the lists you mentioned have been classified
with 'medium' to 'high' risk of false positives:
foxhole_*
spear / spea
Hello.
I am just curious, since I am using SaneSecurity
signatures too.
According to: http://sanesecurity.com/usage/signatures/
some of the lists you mentioned have been classified
with 'medium' to 'high' risk of false positives:
foxhole_*
spear / spearl
Did you not get into trouble with those
On February 19, 2015 3:26:00 PM "David F. Skoll"
wrote:
Unfortunately, we're finding those simple-minded rules are running out
of gas. :( We've seen a zip file containing an Excel spreadsheet
with a macro virus in it. ClamAV is essentially useless at detecting
viruses, so it's a real problem
On Thu, 19 Feb 2015, David F. Skoll wrote:
On Thu, 19 Feb 2015 07:46:16 -0600
Chad M Stewart wrote:
I use amavis-new and block based on file type. My users should never
get legit executables via email, so they are sent to a quarantine.
Unfortunately, we're finding those simple-minded rules
Am 19.02.2015 um 15:47 schrieb Dave Funk:
On Thu, 19 Feb 2015, Reindl Harald wrote:
well, that can you achieve directly on the MTA but that won't help in
case of "emails containing MS office attachments with a Malicious VB
script"
cat /etc/postfix/mime_header_checks.cf
/^Content-(?:Dispositio
On Thu, 19 Feb 2015, Reindl Harald wrote:
well, that can you achieve directly on the MTA but that won't help in case of
"emails containing MS office attachments with a Malicious VB script"
cat /etc/postfix/mime_header_checks.cf
/^Content-(?:Disposition|Type):(?:.*?;)? \s*(?:file)?name \s* =
\
Am 19.02.2015 um 15:43 schrieb David F. Skoll:
On Thu, 19 Feb 2015 09:34:28 -0500
Alex Regan wrote:
[David Skoll]
spreadsheet with a macro virus in it. ClamAV is essentially
useless at detecting viruses, so it's a real problem... any ideas?
Useless? Are you using the third-party patterns?
On 02/19/2015 03:24 PM, David F. Skoll wrote:
On Thu, 19 Feb 2015 07:46:16 -0600
Chad M Stewart wrote:
I use amavis-new and block based on file type. My users should never
get legit executables via email, so they are sent to a quarantine.
Unfortunately, we're finding those simple-minded rul
On Thu, 19 Feb 2015 09:34:28 -0500
Alex Regan wrote:
[David Skoll]
> > spreadsheet with a macro virus in it. ClamAV is essentially
> > useless at detecting viruses, so it's a real problem... any ideas?
> Useless? Are you using the third-party patterns?
No, because when I tried some of them, th
Hi,
I use amavis-new and block based on file type. My users should never
get legit executables via email, so they are sent to a quarantine.
Unfortunately, we're finding those simple-minded rules are running out
of gas. :( We've seen a zip file containing an Excel spreadsheet
with a macro vir
On Thu, 19 Feb 2015 07:46:16 -0600
Chad M Stewart wrote:
> I use amavis-new and block based on file type. My users should never
> get legit executables via email, so they are sent to a quarantine.
Unfortunately, we're finding those simple-minded rules are running out
of gas. :( We've seen a zi
Am 19.02.2015 um 14:46 schrieb Chad M Stewart:
I use amavis-new and block based on file type. My users should never get legit
executables via email, so they are sent to a quarantine.
### BLOCKED ANYWHERE
# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components
qr'^\.(exe-ms|
I use amavis-new and block based on file type. My users should never get legit
executables via email, so they are sent to a quarantine.
### BLOCKED ANYWHERE
# qr'^UNDECIPHERABLE$', # is or contains any undecipherable components
qr'^\.(exe-ms|dll)$', # banned file(1) types,
Thank you all for your comments, very much appreciated
Tony
Date: Wed, 18 Feb 2015 12:28:11 -0700
From: ml-node+s1065346n114635...@n5.nabble.com
To: tiar...@hotmail.com
Subject: Re: Recent spate of Malicious VB attachments II
On Wed, 18 Feb 2015 14:16:02 -0500
Joe Quinn <[hid
On Wed, 18 Feb 2015 14:16:02 -0500
Joe Quinn wrote:
> On 2/18/2015 2:10 PM, Reindl Harald wrote:
> > the source contains at least socket:// and heavy pulsating disk-IO
> > noticed from the RAID10 as long the process was active - will give
> > it a try in a isolated VM to look what it does the n
On Wed, 18 Feb 2015 20:10:46 +0100
Reindl Harald wrote:
> it would be nice when SA adds a *low score* in case of documents
> containing macros - that may make the difference in a milter setup in
> combination with other rules and bayes to reject or not
Yeah, that's what we do. We add 3.7 poin
On 2/18/2015 2:10 PM, Reindl Harald wrote:
Am 18.02.2015 um 20:00 schrieb David F. Skoll:
On Wed, 18 Feb 2015 10:52:49 -0800 (PST)
John Hardin wrote:
Macros are not inherently evil.
No, they're not, but AutoRun macros are guilty until proven
otherwise, IMO.
(And adding the ability for MS
Am 18.02.2015 um 20:00 schrieb David F. Skoll:
On Wed, 18 Feb 2015 10:52:49 -0800 (PST)
John Hardin wrote:
Macros are not inherently evil.
No, they're not, but AutoRun macros are guilty until proven otherwise, IMO.
(And adding the ability for MS Office macros to execute external programs
an
On Wed, 18 Feb 2015 10:52:49 -0800 (PST)
John Hardin wrote:
> Macros are not inherently evil.
No, they're not, but AutoRun macros are guilty until proven otherwise, IMO.
(And adding the ability for MS Office macros to execute external programs
and fetch content over the Internet *is* inherently
On Wed, 18 Feb 2015, David F. Skoll wrote:
On Wed, 18 Feb 2015 09:56:56 -0700
Jesse Norell wrote:
Another option might be to add a virus scanner to your pop/imap
server, so mail is re-scanned before being sent to the client?
I wrote some Perl to try to detect MS Office documents with macr
On Wed, 18 Feb 2015 09:56:56 -0700
Jesse Norell wrote:
> Another option might be to add a virus scanner to your pop/imap
> server, so mail is re-scanned before being sent to the client?
I wrote some Perl to try to detect MS Office documents with macros in
them. I'm not sure it's 100% successf
r to your pop/imap
server, so mail is re-scanned before being sent to the client?
Jesse
> Cheers
> Tony
>
>
> __
> Date: Wed, 18 Feb 2015 06:08:30 -0700
> From: [hidden email]
> To: [hidden email]
> Sub
On Wed, 18 Feb 2015, Tonyata wrote:
Thanks for your feedback, much appreciated
We do regularly review our AV solution and are generally happy with what we
have in place. The issue was and continues to be that this is new variant
Malware so by the time the AV's catch-up we already have a numbe
om
To: tiar...@hotmail.com
Subject: Re: Recent spate of Malicious VB attachments II
On 02/18/2015 01:09 PM, Tonyata wrote:
> Posting again as the original post didn't hit the mailing list -
>
> Hi Guys,
>
> Last week my company received a noticeable increase in email
On 02/18/2015 01:09 PM, Tonyata wrote:
Posting again as the original post didn't hit the mailing list -
Hi Guys,
Last week my company received a noticeable increase in emails containing MS
office attachments with a Malicious VB script which downloaded something
nasty.
For example Subj - Remit
27 matches
Mail list logo
