Handling Heuristics.OLE2.ContainsMacros in amavis policy banks

Engels, Jan jan.engels at desy.de
Wed Sep 4 13:05:24 CEST 2019


Hi everyone,

I've configured ClamAV to block VBA macros by enabling the following option:

/etc/clamd.d/amavisd.conf 

# With this option enabled OLE2 files containing VBA macros, which were not
# detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
AlertOLE2Macros yes


However, I would like to configure amavis to only block macros for external mails,
i.e. not for MYNETS policy. ("MYNETS" is called "FROM_INTERNAL" in my configuration,
see below.)


I've tried different things, for example redefined the ClamAV scanner in my "FROM_INTERNAL"
policy bank:


$policy_bank{'FROM_INTERNAL'} = {
forward_method => 'smtp:[127.0.0.1]:10028',
av_scanners => [

  ### http://www.clamav.net/
['ClamAV-clamd',
 \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamd.amavisd/clamd.sock"],
 qr/\bOK$/m, qr/\bFOUND$/m,
 #qr/\b(OK|Heuristics\.OLE2\.ContainsMacros)$/m, qr/\bFOUND$/m,  ### WHITELIST MACROS NOT WORKING
 qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
],
#banned_filename_maps     => ['DEFAULT'],
banned_filename_maps     => ['BAN_RULES_FROM_INTERNAL'],
};


And I've also tried to whitelist in banned_filename_maps:

%banned_rules = (
  'NO-MS-EXEC'=> new_RE( qr'^\.(exe-ms)$' ),
  'PASSALL'   => new_RE( [qr'^' => 0] ),
  'ALLOW_EXE' => new_RE( qr'.\.(vbs|pif|scr|bat)$'i, [qr'^\.exe$' => 0] ),
  'ALLOW_VBS' => new_RE( [qr'.\.vbs$' => 0] ),
  'NO-VIDEO'  => new_RE( qr'^\.movie$', qr'.\.(asf|asx|mpg|mpe|mpeg|avi|mp3|wav|wma|wmf|wmv|mov|vob)$'i, ),
  'NO-MOVIES' => new_RE( qr'^\.movie$', qr'.\.(mpg|avi|mov)$'i, ),
  'MYNETS-DEFAULT' => new_RE( [ qr'^\.(rpm|cpio|tar)$' => 0 ], qr'.\.(vbs|pif|scr)$'i, ),
  'DEFAULT' => $banned_filename_re,
  'BAN_RULES_FROM_INTERNAL' => new_RE(
    [ qr'^\.(deb|cpio|rpm|pgp)$' => 0 ],    # allowed file(1) types
    [ qr'^application/pgp-encrypted$' => 0 ],        # allow pgp encrypted mails
    [ qr'^Heuristics\.OLE2\.ContainsMacros$' => 0 ], ### WHITELIST MACROS NOT WORKING
    #qr'^UNDECIPHERABLE$',
    qr'^\.(exe|java|lha|cab|dll)$',   # banned file(1) types
    #qr'^application/x-msdownload$'i,        # block these MIME types
    qr'^application/x-msdos-program$'i,
    qr'^application/hta$'i,
    # block certain double extensions in filenames
    qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
    # banned extensions - long
    qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|exe|fxp|grp|hlp|hta|inf|ins|isp|js|jse|lib|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi|msp|mst|ocx|ops|pcd|pif|prg|reg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd|wsc|wsf|wsh)$'ix,
    qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension - WinZip vulnerab.
  ),
);



You can see the lines ending with: "### WHITELIST MACROS NOT WORKING"


Any help would be greatly appreciated.

Cheers
Jan


More information about the amavis-users mailing list