Quarantine doc Files only with Macros?

Dino Edwards dino.edwards at mydirectmail.net
Mon Feb 27 16:48:26 CET 2017 

do you have amavis policy setup that may specify virus_lover set to Y set on the server that accepts the macro enabled document by any chance?



-----Original Message-----
From: postmaster at wf-partner.com [mailto:postmaster at wf-partner.com] 
Sent: Monday, February 27, 2017 4:09 AM
To: Dino Edwards <dino.edwards at mydirectmail.net>
Cc: amavis-users at amavis.org; amavis-users <amavis-users-bounces+postmaster=wf-partner.com at amavis.org>
Subject: Re: Quarantine doc Files only with Macros?

The testmail was cleaned by PC antivirus program. Therefore this strange behavior. No I tested with another file and mail was blocked every time.

Kind Regards
Thomas

Am 2017-02-25 20:35, schrieb postmaster at wf-partner.com:
> There is no difference in $final_virus_destiny ( = D_DISCARD;) an 
> other settings concerning virus.
> 
> I guess something with whitelisting or bypassing local mail senders.
> 
>> -----Original Message-----
>> 2017-02-24 17:39, wrote Dino Edwards:
>> Strange indeed. Just spit balling here, is the $final_virus_destiny 
>> in amavis on both servers set the same? Do you have amavis policies 
>> set on the servers?
>> 
>> 
>> 
>> -----Original Message-----
>> From: postmaster at wf-partner.com [mailto:postmaster at wf-partner.com]
>> Sent: Friday, February 24, 2017 11:30 AM
>> To: Dino Edwards <dino.edwards at mydirectmail.net>
>> Cc: amavis-users at amavis.org; amavis-users 
>> <amavis-users-bounces+postmaster=wf-partner.com at amavis.org>
>> Subject: Re: Quarantine doc Files only with Macros?
>> 
>> You are right, we have two different linux servers with mailservers 
>> and they are both set in the clamav config files like below but one 
>> of them is blocking outbound OLE2 macro files and the other one only 
>> blocks incoming OLE2 marco files?
>> Services clamav-daemon and amavis were restarted.
>> 
>>> -----Original Message----- from Dino Edwards:
>>> Did you restart clamav? So you have two mailservers and they are 
>>> both set in the clamav config files like below but one of them is 
>>> blocking outbound OLE2 macro files and the other one only blocks 
>>> incoming OLE2 marco files? Am I understanding this correctly?
>>> 
>>> 
>>> 
>>> -----Original Message-----
>>> From: postmaster at wf-partner.com [mailto:postmaster at wf-partner.com]
>>> Sent: Friday, February 24, 2017 11:04 AM
>>> To: Dino Edwards <dino.edwards at mydirectmail.net>
>>> Cc: amavis-users at amavis.org; amavis-users 
>>> <amavis-users-bounces+postmaster=wf-partner.com at amavis.org>
>>> Subject: Re: Quarantine doc Files only with Macros?
>>> 
>>> Both is set. I had to restart service amavis-daemon I think. But now 
>>> at one of two mailservers there is only outgoing mail blocked and at 
>>> the other only incoming mail.
>>> 
>>> Strange!
>>> 
>>> 
>>> Am 2017-02-24 11:04, schrieb Dino Edwards:
>>>> I believe both of these have to be set to true in order for that to 
>>>> work
>>>> 
>>>> ScanOLE2 true
>>>> OLE2BlockMacros true
>>>> 
>>>> 
>>>> -----Original Message-----
>>>> From: amavis-users
>>>> [mailto:amavis-users-bounces+dino.edwards=mydirectmail.net at amavis.o
>>>> rg ] On Behalf Of postmaster at wf-partner.com
>>>> Sent: Friday, February 24, 2017 2:08 AM
>>>> To: amavis-users at amavis.org
>>>> Subject: Re: Quarantine doc Files only with Macros?
>>>> 
>>>> I turned on "OLE2BlockMacros true", but a word file containing a 
>>>> macro virus was not classified as "INFECTED". I had renamed the 
>>>> file before sending a test mail.
>>>> 
>>>> Any ideas what could I do to get all files with macros to be 
>>>> quarantined?
>>>> 
>>>> Kind regards
>>>> Thomas
>>>> 
>>>> -----Original Message-----
>>>>> From: amavis-users
>>>>> [mailto:amavis-users-bounces+dino.edwards=mydirectmail.net at amavis.
>>>>> or g ] On Behalf Of Hoyer-Reuther, Christian 
>>>>> Christian.Hoyer-Reuther at cac-chem.de wrote
>>>>> Sent: Wednesday, December 14, 2016 11:42 AM
>>>>> To: amavis-users at amavis.org
>>>>> Subject: Quarantine doc Files only with Macros?
>>>>> 
>>>>> Hello Klaus,
>>>>> 
>>>>> if you use ClamAV, then you can set it's option "OLE2BlockMacros 
>>>>> true".
>>>>> This detects MS
>>>>> Office Macros regardless of the file extension. If a macro is 
>>>>> found, then the file is classified as a virus ("INFECTED:
>>>>> Heuristics.OLE2.ContainsMacros").
>>>>> 
>>>>> Regards,
>>>>> 
>>>>> Christian

More information about the amavis-users mailing list