block exe in pdf-files?

[Hoyer-Reuther, Christian]

Hello,

we use the settings posted by Dino and recently ClamAV detected MS office macros (Heuristics.OLE2.ContainsMacros) in several mails with attached pdf files. I guess these mails contained the Jaff ransomware.

Regards,

Christian

-----Original Message-----
From: amavis-users [mailto:amavis-users-bounces+christian.hoyer-reuther=cac-chem.de at amavis.org] On Behalf Of Dino Edwards
Sent: Tuesday, May 30, 2017 4:17 PM
To: amavis-users at amavis.org
Subject: RE: block exe in pdf-files?

I think you are right. Probably not. If you are using clamav, I wonder if setting the following in clamav would give you the desired result?

ScanOLE2 true
OLE2BlockMacros true
ScanPDF true



-----Original Message-----
From: amavis-users [mailto:amavis-users-bounces+dino.edwards=mydirectmail.net at amavis.org] On Behalf Of Jakob Curdes
Sent: Tuesday, May 30, 2017 10:03 AM
To: amavis-users at amavis.org
Subject: Re: block exe in pdf-files?

But would this work for a docm that needs to be extracted from a PDF? I was not aware that amavisd or the tolls it uses is able to extract stuff embedded in a pdf.

JC


Am 30.05.2017 um 15:38 schrieb Dino Edwards:
> Have you tried the following in your file rule?
>
> [qr'.\.(docm)$'ix => 1],
> [qr'.\.(dotm)$'ix => 1],
> [qr'.\.(xlsm)$'ix => 1],
> [qr'.\.(xltm)$'ix => 1]
>
> The above SHOULD Block macro enabled office docs.
>
>
> -----Original Message-----
> From: amavis-users 
> [mailto:amavis-users-bounces+dino.edwards=mydirectmail.net at amavis.org] 
> On Behalf Of Daniel Rieken
> Sent: Tuesday, May 30, 2017 9:02 AM
> To: amavis-users at amavis.org
> Subject: block exe in pdf-files?
>
> Hello,
>
> is it possible to block exe- or docm/xlsm/pptm-files inside of PDF-files?
>
> The new Jaff ransomware is sending a PDF-file with a docm inside this PDF. So I would like to be able to block this emails with amavisd-new...
>
>
> Cheers!
> Daniel