Quarantine doc Files only with Macros?

Mon Feb 27 18:31:17 CET 2017

Sorry! This was my fault. As I wrote

> The testmail was cleaned by PC antivirus program.

But I didn't notice (the filesize was the same as before). The word 
macro was a virus, which was not recognized by antivirus program at the 
beginning.
Later I had performed a test with Outlook and IMAP and the antivirus 
program cleaned the mail in the imap folder of one server. But the file 
was still attached to the mail and seemed not to be changed the macros 
were deactivated anyway. So only only mails from the other server 
actually contained macros.

Today I tested with a another file with macros and all mails were 
blocked from both servers. Sorry again for this confusion.

2017-02-27 16:48, wrote Dino Edwards:
> do you have amavis policy setup that may specify virus_lover set to Y
> set on the server that accepts the macro enabled document by any
> chance?
> 
> 
> 
> -----Original Message-----
> From: postmaster at wf-partner.com [mailto:postmaster at wf-partner.com]
> Sent: Monday, February 27, 2017 4:09 AM
> To: Dino Edwards <dino.edwards at mydirectmail.net>
> Cc: amavis-users at amavis.org; amavis-users
> <amavis-users-bounces+postmaster=wf-partner.com at amavis.org>
> Subject: Re: Quarantine doc Files only with Macros?
> 
> The testmail was cleaned by PC antivirus program. Therefore this
> strange behavior. No I tested with another file and mail was blocked
> every time.
> 
> Kind Regards
> Thomas
> 
> Am 2017-02-25 20:35, schrieb postmaster at wf-partner.com:
>> There is no difference in $final_virus_destiny ( = D_DISCARD;) an
>> other settings concerning virus.
>> 
>> I guess something with whitelisting or bypassing local mail senders.
>> 
>>> -----Original Message-----
>>> 2017-02-24 17:39, wrote Dino Edwards:
>>> Strange indeed. Just spit balling here, is the $final_virus_destiny
>>> in amavis on both servers set the same? Do you have amavis policies
>>> set on the servers?
>>> 
>>> 
>>> 
>>> -----Original Message-----
>>> From: postmaster at wf-partner.com [mailto:postmaster at wf-partner.com]
>>> Sent: Friday, February 24, 2017 11:30 AM
>>> To: Dino Edwards <dino.edwards at mydirectmail.net>
>>> Cc: amavis-users at amavis.org; amavis-users
>>> <amavis-users-bounces+postmaster=wf-partner.com at amavis.org>
>>> Subject: Re: Quarantine doc Files only with Macros?
>>> 
>>> You are right, we have two different linux servers with mailservers
>>> and they are both set in the clamav config files like below but one
>>> of them is blocking outbound OLE2 macro files and the other one only
>>> blocks incoming OLE2 marco files?
>>> Services clamav-daemon and amavis were restarted.
>>> 
>>>> -----Original Message----- from Dino Edwards:
>>>> Did you restart clamav? So you have two mailservers and they are
>>>> both set in the clamav config files like below but one of them is
>>>> blocking outbound OLE2 macro files and the other one only blocks
>>>> incoming OLE2 marco files? Am I understanding this correctly?
>>>> 
>>>> 
>>>> 
>>>> -----Original Message-----
>>>> From: postmaster at wf-partner.com [mailto:postmaster at wf-partner.com]
>>>> Sent: Friday, February 24, 2017 11:04 AM
>>>> To: Dino Edwards <dino.edwards at mydirectmail.net>
>>>> Cc: amavis-users at amavis.org; amavis-users
>>>> <amavis-users-bounces+postmaster=wf-partner.com at amavis.org>
>>>> Subject: Re: Quarantine doc Files only with Macros?
>>>> 
>>>> Both is set. I had to restart service amavis-daemon I think. But now
>>>> at one of two mailservers there is only outgoing mail blocked and at
>>>> the other only incoming mail.
>>>> 
>>>> Strange!
>>>> 
>>>> 
>>>> Am 2017-02-24 11:04, schrieb Dino Edwards:
>>>>> I believe both of these have to be set to true in order for that to
>>>>> work
>>>>> 
>>>>> ScanOLE2 true
>>>>> OLE2BlockMacros true
>>>>> 
>>>>> 
>>>>> -----Original Message-----
>>>>> From: amavis-users
>>>>> [mailto:amavis-users-bounces+dino.edwards=mydirectmail.net at amavis.o
>>>>> rg ] On Behalf Of postmaster at wf-partner.com
>>>>> Sent: Friday, February 24, 2017 2:08 AM
>>>>> To: amavis-users at amavis.org
>>>>> Subject: Re: Quarantine doc Files only with Macros?
>>>>> 
>>>>> I turned on "OLE2BlockMacros true", but a word file containing a
>>>>> macro virus was not classified as "INFECTED". I had renamed the
>>>>> file before sending a test mail.
>>>>> 
>>>>> Any ideas what could I do to get all files with macros to be
>>>>> quarantined?
>>>>> 
>>>>> Kind regards
>>>>> Thomas
>>>>> 
>>>>> -----Original Message-----
>>>>>> From: amavis-users
>>>>>> [mailto:amavis-users-bounces+dino.edwards=mydirectmail.net at amavis.
>>>>>> or g ] On Behalf Of Hoyer-Reuther, Christian
>>>>>> Christian.Hoyer-Reuther at cac-chem.de wrote
>>>>>> Sent: Wednesday, December 14, 2016 11:42 AM
>>>>>> To: amavis-users at amavis.org
>>>>>> Subject: Quarantine doc Files only with Macros?
>>>>>> 
>>>>>> Hello Klaus,
>>>>>> 
>>>>>> if you use ClamAV, then you can set it's option "OLE2BlockMacros
>>>>>> true".
>>>>>> This detects MS
>>>>>> Office Macros regardless of the file extension. If a macro is
>>>>>> found, then the file is classified as a virus ("INFECTED:
>>>>>> Heuristics.OLE2.ContainsMacros").
>>>>>> 
>>>>>> Regards,
>>>>>> 
>>>>>> Christian