EFA to only block .doc macros?

Questions and answers about how to do stuff
Post Reply
user666
Posts: 1
Joined: 05 Oct 2016 19:59

EFA to only block .doc macros?

Post by user666 »

Hello,

I use Barracuda for my organization and it keeps staff happy (changing spam filters isn't doable politically right now), but it can't filter out .doc macros, which are problem as that's a pretty strong vector for ransomware. It looks like ClamAV has some ability to detect macros in .doc files and that spamasassin can push all attachments through ClamAV before sending.

My understanding is that I can set the spamassassin score to something very high like 50 so that no mail is ever marked as spam and ClamAV can also block .doc macros. Is this correct? If so, can someone point me towards the config files I'd need to change? Bonus if the tagged files can come to a specific inbox for IT to look at and to release to staff.

Thanks.
dbrunt
Posts: 64
Joined: 28 Nov 2015 00:09

Re: EFA to only block .doc macros?

Post by dbrunt »

OLE2 macro blocking is supposed to be enabled in newer versions of EFA (clamd)
I'm not sure when the default changed.
This setting in /etc/clamd.conf controls OLE2 macro blocking:

Code: Select all

# With this option enabled OLE2 files with VBA macros, which were not
# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
# Default: no
#OLE2BlockMacros yes
Apparently OLE2BlockMacros either defaults to no or yes depending on the version of clamd so uncomment and set it to your liking.
The text description supposedly is still "Default: no" in newer versions of EFA and is incorrect.
Last edited by dbrunt on 12 Oct 2016 23:08, edited 1 time in total.
dbrunt
Posts: 64
Joined: 28 Nov 2015 00:09

Re: EFA to only block .doc macros?

Post by dbrunt »

For SpamAssassin scoring, see viewtopic.php?t=1547
Scroll abount 1/2 way down for pdwalker's step-by-step process for installation.

I'm still trying to get it to work though...
dbrunt
Posts: 64
Joined: 28 Nov 2015 00:09

Re: EFA to only block .doc macros?

Post by dbrunt »

One more note, install Sophos A/V scanning: viewtopic.php?t=1329
It catches more than clamav but not everything than clamav does...
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: EFA to only block .doc macros?

Post by pdwalker »

Did someone invoke my name?

ClamAV will block 100% of macro enabled word documents. So if you're happy doing that then set
OLE2BlockMacros yes

The plugin mentioned in viewtopic.php?t=1547 will catch some, but not all macro enabled word documents. So don't assume it works perfectly. It only helps.

(Personally, I think all macro enabled MS Office documents should be deleted immediately because of the potential harm they can do)
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: EFA to only block .doc macros?

Post by pdwalker »

Ok, I've recieved the example excel spreadsheets and they passed right through the spamassassin macro detecting plugin without being detected.

I've submitted a bug report to the plugin author, but I am not sure how responsive he will be. Until then, be warned that the plugin fails on quite a number of macro enabled office documents.
Post Reply