Block Office documents with Macro's and notify recipient, rulebased

Questions and answers about how to do stuff
Post Reply
SupportOU
Posts: 47
Joined: 12 Sep 2016 18:47

Block Office documents with Macro's and notify recipient, rulebased

Post by SupportOU » 09 Feb 2017 21:44

Hi All,

Anyone knows if it is possible to block all Office documents that contain macro's for recipients of *@domain1.com , while allowing this for users of *@domain2.com.

Do I need to block/allow this in ClamAV or MailScanner or a combination?

For now I used the /etc/MailScanner/rules/content.scanning.rules file icm with /etc/clamav.conf (OLE2BlockMacros yes). My content.scanning.rule is 'From: *@domain3.com and To: *@domain2.com no'

But this rule doesn't get fired if user@domain3.com sends a document with macro to user@domain2.com. Now all Office documents with macro's are blocked (but no zero-day cryptolockers since, so in that respect I am very very happy).

I have more rules in this very rules file and these are working.

What can I do better here?

Thanks!

Grtz,
Ronald

Gate Array
Posts: 14
Joined: 30 Aug 2017 09:36

Re: Block Office documents with Macro's and notify recipient, rulebased

Post by Gate Array » 14 Apr 2018 11:06

I would have the same feature/configuration... Block all the office file with macro inside...

The problem is do it using MailScanner and not with ClamAV.


In my configuration I've setup:

1) Make a bounce reply email for "illegal attach" to the sender.

2) Do "nothing" if a virus is found

So... what I want to achieve is send back a email alert to the sender also for macro inside office file.

There is any way to do it

Gate Array
Posts: 14
Joined: 30 Aug 2017 09:36

Re: Block Office documents with Macro's and notify recipient, rulebased

Post by Gate Array » 28 Apr 2018 09:03

No one...???
No ideas ????

thewomble
Posts: 31
Joined: 17 Jan 2017 12:52

Re: Block Office documents with Macro's and notify recipient, rulebased

Post by thewomble » 17 May 2018 18:39

Take a look at https://github.com/fmbla/spamassassin-olemacro

I have not used it myself, yet, it was on my todo list.

User avatar
pdwalker
Posts: 1076
Joined: 18 Mar 2015 09:16

Re: Block Office documents with Macro's and notify recipient, rulebased

Post by pdwalker » 21 May 2018 06:24

I use it, and there are a number of conditions that it does not detect. Embedded macros in MS Word documents is one hairball of a mess.

Post Reply