Virus scanners with amavis and fedora

Dino Edwards dino.edwards at mydirectmail.net
Fri Apr 14 21:43:31 CEST 2017


I guess a bigger question is, is there a legitimate reason to allow your users to receive macro enabled word docs? As far as encrypted word docs or pdfs or such you can always turn mark encrypted archives as viruses and effectively block them. Anything encrypted like that it's obviously trying to hide the content because it's either malicious or it's trying to encrypt sensitive information. If it's legitimate, a proper encrypted email solution would work much better. 

Point is, I don't care what AV solution you are using, some of them are going to get through no matter what. Hackers are getting slicker by the day, their methods are getting better and better. The AV industry is always trying to play catch-up. Is that an acceptable risk to your organization? You need to take steps to block as much as possible and let AV be the very last resort. If you are counting on your AV to protect everything you are going to get screwed in the end. It's as simple as that. 

In my organization we have deployed Snort IDS, DLP to prevent leaks, AV on the endpoints and servers, we do SSL decyption to look at all the encrypted traffic, Fireye appliances to look for advanced malware on the network, another layer with Palo Alto Wildfire and Antivirus at the perimeter, AV/spam filter for e-mail, AV on the e-mail server and after ALL that, things still manage to get in. It's a cat and mouse game. Nothing is ever perfect.

You can always start blocking .doc files, since let's face it, nobody should be using those 13-year old old file formats and if they are, they need to stop. Most of that malware comes through as .doc or .rtf files. 

 

-----Original Message-----
From: amavis-users [mailto:amavis-users-bounces+dino.edwards=mydirectmail.net at amavis.org] On Behalf Of Alex
Sent: Friday, April 14, 2017 3:03 PM
To: amavis-users at amavis.org
Subject: Re: Virus scanners with amavis and fedora

Hi,

On Fri, Apr 14, 2017 at 11:00 AM, Dino Edwards <dino.edwards at mydirectmail.net> wrote:
> I mean what specific issues are you having? Do you have Macro enabled 
> encrypted word documents, encrypted PDFs? The reason I'm asking is 
> because there MAY be things you can do already with Amavis and clamav to block a lot of those things.

Do you mean have I configured clamav to scan for these? Or do you mean simply have I received macro-enabled encrypted Word docs?

Yes, I have received quite a few. I've also configured clamav for ScanOLE2. OLE2BlockMacros is disabled because it then doesn't scan them at all, only marks them as having macros.

Thanks,
Alex


More information about the amavis-users mailing list