Exeptions for files

[akl]

Hi All,

I have a serious problem with one user. Can you help me either on technical aspect or how to argue in those cases?

We block Office documents with macros. There is this OLE2macro Option for Clam.
In Addition we don't quarantine on Virus Alarms.

We found, this is a good Setting These days for security reason. I believe you all will agree.

OK, we now have the case, that 'wanted' mail with macro attachment has been filtered, not quarantined, Long Story short: it is gone.

We could Switch off macro filtering or quarantine infections, but the user doen't want to understand the risk. Unfortunately he is member of Company Management. VIP. Unwoundable.

He also claimed, that he hasn't got a notification. Where can I configure notification on Virus Alarms? I looked into mailscanner.conf but could only find Sender notification. not recipient notification.

I have two Solutions in mind.
Setting up a infections@ Mailbox, add this as user in mailwatch and disable spam filtering. Will that Switch of Virus scanning too or only have effect on spamassassin?

Second:
We know another product, where you can specify a "not filter string"
In case the subject Begins with this "not filter string" every virus- and spam-check is bypassed and the mail forwarded to the user.
This was an easy way to give a user the possibility for exception.

Is that possible?

What do you think or tell your users in such a case?
I told him for example: please use the company's owncloud, share a Folder, send the link to the sende, he may upload the file there.
He said, this is not an acceptable alternative for him........

[edit]
I just wonder if whitelisting has effect on Virus scanning?
I can hardly believe this, but it is worth to ask for. I didnt try it, yet
[/edit]

Thank you in advance
akl

[pdwalker]

I have an answer to this. Once I get to my computer, I can answer it for you.

[pdwalker]

Sorry for the delay.

I understand your pain with macros. Frankly, there is no reason to accept macro enabled documents in the vast majority of the cases. I had a case with a client 2 years ago where a macro enabled document lead to a chain of events that ended up with some kind of bitlocker ransomware locking up half the computers in the office. The source of the infection? The CEO.

Having said that, you should probably get it in writing that Mr VIP acknowledges that macro viruses are a source of infection, and that if he insists the come through that IT cannot be held responsible for the damages caused. Get this known ahead of time or else you'll be the one blamed.

Now that I've had time to think about your problem a bit more, the way that I thought you could take seems to be incorrect, so I won't waste any further time on that.

Reading the /etc/MailScanner/MailScanner.conf, I see the following comment:

# If this is set to "yes", then email messages passing through MailScanner
# will be processed and checked, and all the other options in this file
# will be used to control what checks are made on the message.
#
# If this is set to "no", then email messages will NOT be processed or
# checked *at all*, and so any viruses or other problems will be ignored.
#
# If this is set to "virus", then email messages will only be scanned for
# viruses and *nothing* else.
#
# The purpose of this option is to set it to be a ruleset, so that you
# can skip all scanning of mail destined for some of your users/customers
# and still scan all the rest.
# A sample ruleset would look like this:
# To: bad.customer.com no
# From: ignore.domain.com no
# From: my.domain.com virus
# FromOrTo: default yes
# That will scan all mail except mail to bad.customer.com and mail from
# ignore.domain.com. To set this up, put the 3 lines above into a file
# called /etc/MailScanner/rules/scan.messages.rules and set the next line to
# Scan Messages = %rules-dir%/scan.messages.rules
# This can also be the filename of a ruleset (as illustrated above).
Scan Messages = yes

So it seems there is a way to specify a rule to allow you to scan everything except to MrVIP@VirusRidden.com. I really don't recommend this as it will actual macro viruses through.

Alternatively, you keep your clam av signatures up to date and disable the OLE2BlockMacros yes feature and hope that nothing slips through (it can and will). It will catch most though.

So, after all that, I guess I'd have to say disable OLE2BlockMacros after getting written authority to make this change knowing the potential damage it can cause.

Do all your desktops have up-to-date AV software?

[akl]

Thank you for your answer.

Meanwhile I got another mail from VIP.
"5 mails have been blocked yesterday"
Me: "yes sir, they contained macros, i explained that to you earlier"
"but they were important"

Aaaaarrrggghhhh

Why do all antimalware programmer forget this damn "skip important mails" switch

I think I will offer him either to quarantine infections, so he may get them via mailwatch webinterface or setup a dedicated infections@company.com mailbox, which is excluded by the rule you mentioned.

But, maybe this could by seen as a feature request:
I find the "not filter string" the more charming solution.

If you have this dedicated mailbox, you need to answer the question: who will get access rights for it. Who will be the responsible person.

With a string in the subject, like kMa6rbc, you have a more detailed way to make exceptions.
Sender and recipient may be quick on the phone: ah ok, your mail was blocked, please send again and write kMa6rbc in the subject.

That will keep everything a bit cleaner, do you agree?

Thank you,
akl

[pdwalker]

akl,

When you are dealing with someone with Atomic Grade Stupidity, the best thing to do is to let them hang themselves.

a) get it in writing from him that he understands the risks of accepting macros and that he will be fully responsible for the damage caused if said macros contain a virus infection. Otherwise, refuse to enable them because it is your job that is at stake.

b) if he agrees, and it is in writing (copied to his boss), then allow him unfiltered macro access.

At the end of the day, you have to decide what's more important, your job or your integrity? Here's a hint - if you choose job, then you will lose both.

I can, and have stood up against people trying to get me to do something stupid on their behalf. Knowing that I would be the one held responsible, I preferred to walk rather than risk professional ruin.

---

Your suggested solution would work, but I can tell you now, Mr VIP will not find it an acceptable solution. He will not be satisfied with anything less than receiving whatever he wants to receive, whenever he wants it, no matter the risk.

Good luck with whatever you do.