block exe in pdf-files?
Hoyer-Reuther, Christian
Christian.Hoyer-Reuther at cac-chem.de
Wed May 31 08:11:24 CEST 2017
Hello,
we use the settings posted by Dino and recently ClamAV detected MS office macros (Heuristics.OLE2.ContainsMacros) in several mails with attached pdf files. I guess these mails contained the Jaff ransomware.
Regards,
Christian
-----Original Message-----
From: amavis-users [mailto:amavis-users-bounces+christian.hoyer-reuther=cac-chem.de at amavis.org] On Behalf Of Dino Edwards
Sent: Tuesday, May 30, 2017 4:17 PM
To: amavis-users at amavis.org
Subject: RE: block exe in pdf-files?
I think you are right. Probably not. If you are using clamav, I wonder if setting the following in clamav would give you the desired result?
ScanOLE2 true
OLE2BlockMacros true
ScanPDF true
-----Original Message-----
From: amavis-users [mailto:amavis-users-bounces+dino.edwards=mydirectmail.net at amavis.org] On Behalf Of Jakob Curdes
Sent: Tuesday, May 30, 2017 10:03 AM
To: amavis-users at amavis.org
Subject: Re: block exe in pdf-files?
But would this work for a docm that needs to be extracted from a PDF? I was not aware that amavisd or the tolls it uses is able to extract stuff embedded in a pdf.
JC
Am 30.05.2017 um 15:38 schrieb Dino Edwards:
> Have you tried the following in your file rule?
>
> [qr'.\.(docm)$'ix => 1],
> [qr'.\.(dotm)$'ix => 1],
> [qr'.\.(xlsm)$'ix => 1],
> [qr'.\.(xltm)$'ix => 1]
>
> The above SHOULD Block macro enabled office docs.
>
>
> -----Original Message-----
> From: amavis-users
> [mailto:amavis-users-bounces+dino.edwards=mydirectmail.net at amavis.org]
> On Behalf Of Daniel Rieken
> Sent: Tuesday, May 30, 2017 9:02 AM
> To: amavis-users at amavis.org
> Subject: block exe in pdf-files?
>
> Hello,
>
> is it possible to block exe- or docm/xlsm/pptm-files inside of PDF-files?
>
> The new Jaff ransomware is sending a PDF-file with a docm inside this PDF. So I would like to be able to block this emails with amavisd-new...
>
>
> Cheers!
> Daniel
More information about the amavis-users
mailing list