Hi All,
Plz see below example. This inbound message is not delivered to the final recipient. I have no clue why.
I got in mailscanner.conf:
Deliver Disinfected Files = yes
Still Deliver Silent Viruses = no
Deliver Cleaned Messages = yes
Anyone an idea?
Grtz,
Ronald
[root@sys-mailgw12 ~]# cat /var/log/maillog | grep 13CB2100054
Nov 3 13:30:59 sys-mailgw12 postfix/smtpd[27286]: 13CB2100054: client=smarthost-b.hosting2go.nl[83.137.198.202]
Nov 3 13:30:59 sys-mailgw12 postfix/cleanup[27777]: 13CB2100054: hold: header Received: from smarthost-b.hosting2go.nl (smarthost-b.hosting2go.nl [83.137.198.202])??(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))??(No client certificate requested)??by mailgw.officeu from smarthost-b.hosting2go.nl[83.137.198.202]; from=<w.stonner@local2global.nl> to=<Mattis@siebert-becker.nl> proto=ESMTP helo=<smarthost-b.hosting2go.nl>
Nov 3 13:30:59 sys-mailgw12 postfix/cleanup[27777]: 13CB2100054: message-id=<001301d3549f$93b59300$bb20b900$@local2global.nl>
Nov 3 13:31:09 sys-mailgw12 MailScanner[19353]: Clamd::INFECTED:: Heuristics.OLE2.ContainsMacros :: ./13CB2100054.A28F0/Buro Bau Jaarrekening 2016.xls
Nov 3 13:31:09 sys-mailgw12 MailScanner[19353]: Infected message 13CB2100054.A28F0 came from 83.137.198.202
Nov 3 13:31:09 sys-mailgw12 MailScanner[19353]: <A> tag found in message 13CB2100054.A28F0 from w.stonner@local2global.nl
Nov 3 13:31:09 sys-mailgw12 MailScanner[19353]: HTML Img tag found in message 13CB2100054.A28F0 from w.stonner@local2global.nl
Nov 3 13:31:10 sys-mailgw12 MailScanner[19353]: Saved entire message to /var/spool/MailScanner/quarantine/20171103/13CB2100054.A28F0
Nov 3 13:31:11 sys-mailgw12 MailScanner[19353]: Saved infected "Buro Bau Jaarrekening 2016.xls" to /var/spool/MailScanner/quarantine/20171103/13CB2100054.A28F0
Nov 3 13:31:11 sys-mailgw12 MailScanner[19353]: Logging message 13CB2100054.A28F0 to SQL
Nov 3 13:31:11 sys-mailgw12 MailScanner[19572]: 13CB2100054.A28F0: Logged to MailWatch SQL
[root@sys-mailgw12 ~]#
Deliver Cleaned Messages and/or Files
Re: Deliver Cleaned Messages and/or Files
Hi Ronald,
the above states, that MailScanner has deviced to not let that xls file pass. This actually a good practise and sending any kind of MS active file via plain e-mail has never been a good idea.
Cheers,
budy
Code: Select all
Nov 3 13:31:09 sys-mailgw12 MailScanner[19353]: Clamd::INFECTED:: Heuristics.OLE2.ContainsMacros :: ./13CB2100054.A28F0/Buro Bau Jaarrekening 2016.xls
Cheers,
budy
Re: Deliver Cleaned Messages and/or Files
Hi,
Yea, I know. But some users do get the stripped message (original attachment replaced by a neat warning message with the messageID) and some don't. No clue why its not always the same. Of course I want the cleaned message to be delivered always (with the replacement attachment).
So, any idea why this particular message gets blocked?
I tell all my customers to educate their customers/suppliers to not send Office documents with macro's, but to no avail. Endless debates.
I was thinking about paid support for malware patrol to take the risk and have Office macro's scanned and passed. Currently I am blocking all documents containing macro's.
Any advice on these matters?
Thanks!
Ronald
Yea, I know. But some users do get the stripped message (original attachment replaced by a neat warning message with the messageID) and some don't. No clue why its not always the same. Of course I want the cleaned message to be delivered always (with the replacement attachment).
So, any idea why this particular message gets blocked?
I tell all my customers to educate their customers/suppliers to not send Office documents with macro's, but to no avail. Endless debates.
I was thinking about paid support for malware patrol to take the risk and have Office macro's scanned and passed. Currently I am blocking all documents containing macro's.
Any advice on these matters?
Thanks!
Ronald
- shawniverson
- Posts: 3644
- Joined: 13 Jan 2014 23:30
- Location: Indianapolis, Indiana USA
- Contact:
Re: Deliver Cleaned Messages and/or Files
Your best bet is to make an exception in clamd for macros...at your own risk, of course
The settings in MailScanner still allow clam to strip the macros from the documents. Sometimes it can and sometimes it can't which is why you see intermittent results.
The settings in MailScanner still allow clam to strip the macros from the documents. Sometimes it can and sometimes it can't which is why you see intermittent results.
Code: Select all
sudo echo "Heuristics.OLE2.ContainsMacros" >> /var/lib/clamav/whitelist.ign2
sudo chown clam:clam /var/lib/clamav/whitelist.ign2