Page 1 of 1

EFA to only block .doc macros?

Posted: 05 Oct 2016 20:04
by user666
Hello,

I use Barracuda for my organization and it keeps staff happy (changing spam filters isn't doable politically right now), but it can't filter out .doc macros, which are problem as that's a pretty strong vector for ransomware. It looks like ClamAV has some ability to detect macros in .doc files and that spamasassin can push all attachments through ClamAV before sending.

My understanding is that I can set the spamassassin score to something very high like 50 so that no mail is ever marked as spam and ClamAV can also block .doc macros. Is this correct? If so, can someone point me towards the config files I'd need to change? Bonus if the tagged files can come to a specific inbox for IT to look at and to release to staff.

Thanks.

Re: EFA to only block .doc macros?

Posted: 12 Oct 2016 22:43
by dbrunt
OLE2 macro blocking is supposed to be enabled in newer versions of EFA (clamd)
I'm not sure when the default changed.
This setting in /etc/clamd.conf controls OLE2 macro blocking:

Code: Select all

# With this option enabled OLE2 files with VBA macros, which were not
# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
# Default: no
#OLE2BlockMacros yes
Apparently OLE2BlockMacros either defaults to no or yes depending on the version of clamd so uncomment and set it to your liking.
The text description supposedly is still "Default: no" in newer versions of EFA and is incorrect.

Re: EFA to only block .doc macros?

Posted: 12 Oct 2016 22:46
by dbrunt
For SpamAssassin scoring, see viewtopic.php?t=1547
Scroll abount 1/2 way down for pdwalker's step-by-step process for installation.

I'm still trying to get it to work though...

Re: EFA to only block .doc macros?

Posted: 12 Oct 2016 22:49
by dbrunt
One more note, install Sophos A/V scanning: viewtopic.php?t=1329
It catches more than clamav but not everything than clamav does...

Re: EFA to only block .doc macros?

Posted: 13 Oct 2016 08:54
by pdwalker
Did someone invoke my name?

ClamAV will block 100% of macro enabled word documents. So if you're happy doing that then set
OLE2BlockMacros yes

The plugin mentioned in viewtopic.php?t=1547 will catch some, but not all macro enabled word documents. So don't assume it works perfectly. It only helps.

(Personally, I think all macro enabled MS Office documents should be deleted immediately because of the potential harm they can do)

Re: EFA to only block .doc macros?

Posted: 14 Oct 2016 07:44
by pdwalker
Ok, I've recieved the example excel spreadsheets and they passed right through the spamassassin macro detecting plugin without being detected.

I've submitted a bug report to the plugin author, but I am not sure how responsive he will be. Until then, be warned that the plugin fails on quite a number of macro enabled office documents.