On 10/14/2016 02:49 PM, Paul Stead wrote:
On 03/10/16 21:30, John Hardin wrote:
ClamAV is probably the correct approach to macro-based malware, unless
we want to do a MS Office document plugin with something like an eval
for has_macros().
ClamAV does allow macro detection, but it depends on the MTA glue used
whether you can use this feature.
With the feedback of Alex I've put together a plugin which detects the
presence of a MS Office Macro with a few other bits.
Testing shows to be speedy and reliable enough, though seemingly lots of
legit emails have Macro attachments but this should help build
metas/help detection.
https://github.com/fmbla/spamassassin-olemacro
- Detects macros - both old and new style
- Basic 'malicious' macro detection
- Protected (encrypted) document detection
Paul,
This looks like a fine pre-Xmas gift :)
How's the performance. I know you run hi traffic sites.
Have you felt a difference?
Thanx
Axb
