Handling Heuristics.OLE2.ContainsMacros in amavis policy banks

Engels, Jan jan.engels at desy.de
Thu Sep 26 19:03:22 CEST 2019 

Hi everyone,

has anyone aby idea on how to solve this? :|

Inbetween I found a workaround by overwriting the "virus_name_to_spam_score_maps" in my
policy_bank, e.g.:

$policy_bank{'FROM_INTERNAL'} = {
...
virus_name_to_spam_score_maps =>
 [new_RE(
   [ qr'^Heuristics\.OLE2\.ContainsMacros' => 0.001 ],
)],
};

However, I do not like this solution because the virus_name_to_spam_score_maps variable is
defined in the amavisd main script, you can check this as follows:

grep -A50 'virus_name_to_spam_score_maps =' /usr/sbin/amavisd


Unfortunately I could not find a way how to only append that single line to the variable, so
this means I would have to copy & paste the whole contents of the variable into my custom
policy bank. This is something I would really like to avoid since it means that I would
always have to check the contents of the "virus_name_to_spam_score_maps" variable whenever
the amavisd-new package gets upgraded...

Cheers
Jan

----- Original Message -----
| From: "Jan Engels" <jan.engels at desy.de>
| To: amavis-users at amavis.org
| Sent: Wednesday, September 4, 2019 1:05:24 PM
| Subject: Handling Heuristics.OLE2.ContainsMacros in amavis policy banks

| Hi everyone,
| 
| I've configured ClamAV to block VBA macros by enabling the following option:
| 
| /etc/clamd.d/amavisd.conf
| 
| # With this option enabled OLE2 files containing VBA macros, which were not
| # detected by signatures will be marked as "Heuristics.OLE2.ContainsMacros".
| AlertOLE2Macros yes
| 
| 
| However, I would like to configure amavis to only block macros for external
| mails,
| i.e. not for MYNETS policy. ("MYNETS" is called "FROM_INTERNAL" in my
| configuration,
| see below.)
| 
| 
| I've tried different things, for example redefined the ClamAV scanner in my
| "FROM_INTERNAL"
| policy bank:
| 
| 
| $policy_bank{'FROM_INTERNAL'} = {
| forward_method => 'smtp:[127.0.0.1]:10028',
| av_scanners => [
| 
|  ### http://www.clamav.net/
| ['ClamAV-clamd',
| \&ask_daemon, ["CONTSCAN {}\n", "/var/run/clamd.amavisd/clamd.sock"],
| qr/\bOK$/m, qr/\bFOUND$/m,
| #qr/\b(OK|Heuristics\.OLE2\.ContainsMacros)$/m, qr/\bFOUND$/m,  ### WHITELIST
| MACROS NOT WORKING
| qr/^.*?: (?!Infected Archive)(.*) FOUND$/m ],
| ],
| #banned_filename_maps     => ['DEFAULT'],
| banned_filename_maps     => ['BAN_RULES_FROM_INTERNAL'],
| };
| 
| 
| And I've also tried to whitelist in banned_filename_maps:
| 
| %banned_rules = (
|  'NO-MS-EXEC'=> new_RE( qr'^\.(exe-ms)$' ),
|  'PASSALL'   => new_RE( [qr'^' => 0] ),
|  'ALLOW_EXE' => new_RE( qr'.\.(vbs|pif|scr|bat)$'i, [qr'^\.exe$' => 0] ),
|  'ALLOW_VBS' => new_RE( [qr'.\.vbs$' => 0] ),
|  'NO-VIDEO'  => new_RE( qr'^\.movie$',
|  qr'.\.(asf|asx|mpg|mpe|mpeg|avi|mp3|wav|wma|wmf|wmv|mov|vob)$'i, ),
|  'NO-MOVIES' => new_RE( qr'^\.movie$', qr'.\.(mpg|avi|mov)$'i, ),
|  'MYNETS-DEFAULT' => new_RE( [ qr'^\.(rpm|cpio|tar)$' => 0 ],
|  qr'.\.(vbs|pif|scr)$'i, ),
|  'DEFAULT' => $banned_filename_re,
|  'BAN_RULES_FROM_INTERNAL' => new_RE(
|    [ qr'^\.(deb|cpio|rpm|pgp)$' => 0 ],    # allowed file(1) types
|    [ qr'^application/pgp-encrypted$' => 0 ],        # allow pgp encrypted mails
|    [ qr'^Heuristics\.OLE2\.ContainsMacros$' => 0 ], ### WHITELIST MACROS NOT
|    WORKING
|    #qr'^UNDECIPHERABLE$',
|    qr'^\.(exe|java|lha|cab|dll)$',   # banned file(1) types
|    #qr'^application/x-msdownload$'i,        # block these MIME types
|    qr'^application/x-msdos-program$'i,
|    qr'^application/hta$'i,
|    # block certain double extensions in filenames
|    qr'^(?!cid:).*\.[^./]*[A-Za-z][^./]*\.\s*(exe|vbs|pif|scr|bat|cmd|com|cpl|dll)[.\s]*$'i,
|    # banned extensions - long
|    qr'.\.(ade|adp|app|bas|bat|chm|cmd|com|cpl|exe|fxp|grp|hlp|hta|inf|ins|isp|js|jse|lib|lnk|mda|mdb|mde|mdt|mdw|mdz|msc|msi|msp|mst|ocx|ops|pcd|pif|prg|reg|scr|sct|shb|shs|sys|vb|vbe|vbs|vxd|wsc|wsf|wsh)$'ix,
|    qr'.\.(mim|b64|bhx|hqx|xxe|uu|uue)$'i,  # banned extension - WinZip vulnerab.
|  ),
| );
| 
| 
| 
| You can see the lines ending with: "### WHITELIST MACROS NOT WORKING"
| 
| 
| Any help would be greatly appreciated.
| 
| Cheers
| Jan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2211 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.amavis.org/pipermail/amavis-users/attachments/20190926/3183c823/attachment.bin>

More information about the amavis-users mailing list