Am 06.09.2016 um 23:27 schrieb Alex:
Is there any ability to determine if a particular attachment has a
Word macro enclosed in addition to just having a Word document?
that's the hob of clamav and the sa-plugin for it
"OLE2BlockMacros yes" in case of a scored SA plugin won't block but add
the
score of that clamd-instance, for unconditional block of other things you
typically have a calmd-instance with different config running as
unconditional milter
Yeah, that's unacceptable to me.
I can't accept obscuring whether a particular attachment has a macro
virus and instead just be notified only that it has a macro. That's
effectively saying it's necessary to outright block all macros or risk
allowing attachments with macro viruses to be passed unencumbered.
I was looking for another way to link macros with spamassassin, as the
amavisd/clamd approach is broken.
The reality of the world is:
1) block/quarantine/encumber/tag all documents that have a macro.
2) allow them thru unencumbered and risk delivering documents that might
have a macro virus.
That won't work. I can't tell my users they can no longer receive a
significant percentage of Word documents any longer
you do *not* block them outright
you *score* them
exactly the same as you asked here:
>>>>> Is there any ability to determine if a particular attachment has a
>>>>> Word macro enclosed in addition to just having a Word document?
what would be the difference to add some points by your question above
in SA then add some points because the clamd instance with scoring?
you just need a second clamd-instance with a different config which
don't outright block and when you are at it ad to *this* clamd instance
some sanesecurity junk-rules which are false-positive-prone and hence
not useable for direct blocking
