Hi All,
Anyone knows if it is possible to block all Office documents that contain macro's for recipients of *@domain1.com , while allowing this for users of *@domain2.com.
Do I need to block/allow this in ClamAV or MailScanner or a combination?
For now I used the /etc/MailScanner/rules/content.scanning.rules file icm with /etc/clamav.conf (OLE2BlockMacros yes). My content.scanning.rule is 'From: *@domain3.com and To: *@domain2.com no'
But this rule doesn't get fired if user@domain3.com sends a document with macro to user@domain2.com. Now all Office documents with macro's are blocked (but no zero-day cryptolockers since, so in that respect I am very very happy).
I have more rules in this very rules file and these are working.
What can I do better here?
Thanks!
Grtz,
Ronald
Block Office documents with Macro's and notify recipient, rulebased
-
- Posts: 23
- Joined: 30 Aug 2017 09:36
Re: Block Office documents with Macro's and notify recipient, rulebased
I would have the same feature/configuration... Block all the office file with macro inside...
The problem is do it using MailScanner and not with ClamAV.
In my configuration I've setup:
1) Make a bounce reply email for "illegal attach" to the sender.
2) Do "nothing" if a virus is found
So... what I want to achieve is send back a email alert to the sender also for macro inside office file.
There is any way to do it
The problem is do it using MailScanner and not with ClamAV.
In my configuration I've setup:
1) Make a bounce reply email for "illegal attach" to the sender.
2) Do "nothing" if a virus is found
So... what I want to achieve is send back a email alert to the sender also for macro inside office file.
There is any way to do it
-
- Posts: 23
- Joined: 30 Aug 2017 09:36
Re: Block Office documents with Macro's and notify recipient, rulebased
No one...???
No ideas ????
No ideas ????
Re: Block Office documents with Macro's and notify recipient, rulebased
Take a look at https://github.com/fmbla/spamassassin-olemacro
I have not used it myself, yet, it was on my todo list.
I have not used it myself, yet, it was on my todo list.
Re: Block Office documents with Macro's and notify recipient, rulebased
I use it, and there are a number of conditions that it does not detect. Embedded macros in MS Word documents is one hairball of a mess.
-
- Posts: 23
- Joined: 30 Aug 2017 09:36
Re: Block Office documents with Macro's and notify recipient, rulebased
... and what about "renaming file extension" instead off cut the entire email?
It could be possible to setup ClamAV or Mailscanner to change the extension in a macro is detect inside the files?
It could be possible to setup ClamAV or Mailscanner to change the extension in a macro is detect inside the files?
-
- Posts: 23
- Joined: 30 Aug 2017 09:36
Re: Block Office documents with Macro's and notify recipient, rulebased
Any idea?
sorry for the forced up, but I'm sure this is something very important for a large base of users.
sorry for the forced up, but I'm sure this is something very important for a large base of users.
Re: Block Office documents with Macro's and notify recipient, rulebased
The problem is macro detection is very very weird. When I was looking into the problem earlier, I discovered that there is no "one way" to absolutely guarantee that you can detect a macro inside an office document file because of the multitude of office document formats from over the years and different ways of that office stores it.
You can detect some, but not all.
As for renaming the attachments - that's tricky. Editing an email on the fly because of something objectionable is fraught with problems, again because of all the possible ways that emails are formatted.
Newer versions of office can be configured to disable macros in their documents automatically, or at least prompt the user if they really want to run them, and that's how I have to manage it - user education.
You can detect some, but not all.
As for renaming the attachments - that's tricky. Editing an email on the fly because of something objectionable is fraught with problems, again because of all the possible ways that emails are formatted.
Newer versions of office can be configured to disable macros in their documents automatically, or at least prompt the user if they really want to run them, and that's how I have to manage it - user education.
Re: Block Office documents with Macro's and notify recipient, rulebased
I agree with above user education is key. They are the best spam dectector you have got with the correct training/education.
The spammers/malware vendors will spoof/rewrite the headers so you may end up hurting your users more with legitimate macro enabled documents depending on what you do.
The spammers/malware vendors will spoof/rewrite the headers so you may end up hurting your users more with legitimate macro enabled documents depending on what you do.