Detecting macro from office documents

[f4242]

Hello,

On my current mail server, I manually configured amavis over the years. I block newer macro-enabled office documents (.docm, xlsm...) and I also block older office documents (.doc, .xls...) ONLY IF they contain macro.

With PMG, I can easily block mail if they contain newer macro-enabled documents, but I can't block mail if they contain older documents. Blocking every .doc or .xls document is not acceptable.

With my current Amavis configuration I added this:

push @av_scanners, ['Detect-VBA',
   '/usr/local/bin/detectvba.pl', "{}",
      [0], qr/BANNED/, qr/\bBANNED (.+)\b/m ];

The file detectvba.pl come from https://github.com/technion/maia_mailguard/blob/master/scripts/detectvba.pl. I personally modified it to replace "infected" by "banned" in order to avoid users to panic when they receive legitimate file that contain macros.

Is it a feature you consider to add?

Thank you!

 

[tom]

Please add an enhancement request on https://bugzilla.proxmox.com

 

[f4242]

Done, bug #1696.

Have a nice day!

 

[f4242]

Hello,

An user asked me in PM how I did. I will leave my notes here.

Create template /etc/pmg/templates/clamd.conf.in from /var/lib/pmg/templates/clamd.conf.in.

Open the template file and add theses lines:
OLE2BlockMacros true
DetectPUA true

Comment this line:
#DetectPUA false

Apply this patch:

--- /usr/bin/pmg-smtp-filter.orig    2018-03-29 14:13:11.147862186 -0400
+++ /usr/bin/pmg-smtp-filter    2018-03-29 14:13:30.951780540 -0400
@@ -674,8 +674,8 @@
    # test for virus first
    my $vinfo = PMG::Utils::analyze_virus(
        $queue, $queue->{dataname}, $pmg_cfg, $opt_testmode);
-
-    if ($vinfo && $vinfo =~ m/^Heuristics\.(.+)$/) {
+    #if ($vinfo && $vinfo =~ m/^Heuristics\.(.+)$/) {
+    if ($vinfo && $vinfo =~ m/^Heuristics\.(.+)$/ && $vinfo !~ m/^Heuristics\.OLE2\.ContainsMacros/) {
        my $hit = $1;
        $queue->{clamav_heuristic} = $hit;
        $vinfo = undef;

The patch should be executed again after each PMG updates.

 

[killmasta93]

Hello,

An user asked me in PM how I did. I will leave my notes here.

Create template /etc/pmg/templates/clamd.conf.in from /var/lib/pmg/templates/clamd.conf.in.

Open the template file and add theses lines:
OLE2BlockMacros true
DetectPUA true

Comment this line:
#DetectPUA false

Apply this patch:

--- /usr/bin/pmg-smtp-filter.orig    2018-03-29 14:13:11.147862186 -0400
+++ /usr/bin/pmg-smtp-filter    2018-03-29 14:13:30.951780540 -0400
@@ -674,8 +674,8 @@
    # test for virus first
    my $vinfo = PMG::Utils::analyze_virus(
        $queue, $queue->{dataname}, $pmg_cfg, $opt_testmode);
-
-    if ($vinfo && $vinfo =~ m/^Heuristics\.(.+)$/) {
+    #if ($vinfo && $vinfo =~ m/^Heuristics\.(.+)$/) {
+    if ($vinfo && $vinfo =~ m/^Heuristics\.(.+)$/ && $vinfo !~ m/^Heuristics\.OLE2\.ContainsMacros/) {
        my $hit = $1;
        $queue->{clamav_heuristic} = $hit;
        $vinfo = undef;

The patch should be executed again after each PMG updates.

Thanks for the update, as for the patch, would that be a bash script?

 

[technikbs]

in new installations that doesn't work anymore
do you have an idea?

 

[killmasta93]

in new installations that doesn't work anymore
do you have an idea?

Hi there it should work on the 6.0 PMG i have it working

 

[technikbs]

i have 3 pmg 6.2.3 installations.
it works on 1 pmg (it was an upgrade from 6.0
the other two was a new installation with 6.2, i think

 

[killmasta93]

hmmm i have working on on 6.1.2 i going to check on the 6.2