On Tue, 6 Sep 2016, Alex wrote:
Hi,
Is there any ability to determine if a particular attachment has a
Word macro enclosed in addition to just having a Word document?
that's the hob of clamav and the sa-plugin for it
"OLE2BlockMacros yes" in case of a scored SA plugin won't block but add the
score of that clamd-instance, for unconditional block of other things you
typically have a calmd-instance with different config running as
unconditional milter
Yeah, that's unacceptable to me.
I can't accept obscuring whether a particular attachment has a macro
virus and instead just be notified only that it has a macro. That's
effectively saying it's necessary to outright block all macros or risk
allowing attachments with macro viruses to be passed unencumbered.
I was looking for another way to link macros with spamassassin, as the
amavisd/clamd approach is broken.
The reality of the world is:
1) block/quarantine/encumber/tag all documents that have a macro.
2) allow them thru unencumbered and risk delivering documents that might have a
macro virus.
I assume that you already have an AV that will block/quarantine -known-
macro viruses.
You say "that's unacceptable to me"
What is 'acceptable' to you? Unless you find some magical prescient anti-virus
that can accurately predict all possible macro viruses with out FPs I don't know
what else can be done.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
