Block macros document in proxmos email gateway
- Thread starter sanojs
- Start date
hi,
you can edit
keep in mind, i think your goal is to block malicious word macros - but this will mark document as malicious if it detects a macro.
this is already enabled in PMG by default.
have you tested it?
you can configure a heuristic score and configure the rules to do an action of your choosing (like block)
/etc/clamav/clamd.conf and add: OLE2BlockMacros truekeep in mind, i think your goal is to block malicious word macros - but this will mark document as malicious if it detects a macro.
this is already enabled in PMG by default.
ScanOLE2 optionhave you tested it?
you can configure a heuristic score and configure the rules to do an action of your choosing (like block)
Last edited:
hi,
check the admin guide section for quarantine [0] management.
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_quarantine_2
check the admin guide section for quarantine [0] management.
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#_quarantine_2
I have done the OLE2BlockMacros true option and restart the clamav services, but the mail are not blocking in the proxmos but the log shows it detect macros. Kindly help us to block the macros in the proxmos email gateway.
++++++++++++++++++
Sep 14 10:57:12 mailgateway postfix/smtpd[9770]: connect from unknown[192.168.3.201]
Sep 14 10:57:13 mailgateway postfix/smtpd[9770]: 75B5FC1246: client=unknown[192.168.3.201]
Sep 14 10:57:13 mailgateway postfix/cleanup[12301]: 75B5FC1246: message-id=<4d6e01d68a64$43910af0$cab320d0$@abcd.com>
Sep 14 10:57:14 mailgateway postfix/smtpd[9770]: disconnect from unknown[192.168.3.201] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Sep 14 10:57:14 mailgateway postfix/qmgr[708]: 75B5FC1246: from=<dhinil@abcd.com>, size=71000, nrcpt=1 (queue active)
Sep 14 10:57:50 mailgateway pmg-smtp-filter[12671]: C121F5F5F146E3BB30: new mail message-id=<4d6e01d68a64$43910af0$cab320d0$@abcd.com>
Sep 14 10:57:50 mailgateway pmg-smtp-filter[12671]: C121F5F5F146E3BB30: virus detected: Heuristics.OLE2.ContainsMacros (clamav)
Sep 14 10:57:58 mailgateway pmg-smtp-filter[12671]: C121F5F5F146E3BB30: SA score=1/5 time=7.523 bayes=0 autolearn=ham autolearn_force=no hits=ClamAVHeuristics(3),AWL(0.210),BAYES_00(-1.9),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),HTML_IMAGE_ONLY_32(0.001),HTML_MESSAGE(0.001),RCVD_IN_DNSWL_NONE(-0.0001),RCVD_IN_MSPIKE_H2(-0.001),SPF_HELO_NONE(0.001),URIBL_BLOCKED(0.001)
Sep 14 10:57:58 mailgateway postfix/smtpd[12079]: connect from localhost.localdomain[127.0.0.1]
Sep 14 10:57:58 mailgateway postfix/smtpd[12079]: 5BC8CC125C: client=localhost.localdomain[127.0.0.1], orig_client=unknown[192.168.3.201]
Sep 14 10:57:58 mailgateway postfix/cleanup[12650]: 5BC8CC125C: message-id=<4d6e01d68a64$43910af0$cab320d0$@abcd.com>
Sep 14 10:57:58 mailgateway postfix/qmgr[708]: 5BC8CC125C: from=<dhinil@abcd.com>, size=72381, nrcpt=1 (queue active)
Sep 14 10:57:58 mailgateway postfix/smtpd[12079]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Sep 14 10:57:58 mailgateway pmg-smtp-filter[12671]: C121F5F5F146E3BB30: accept mail to <dhanesh.k@xyx.com> (5BC8CC125C)
Sep 14 10:57:58 mailgateway pmg-smtp-filter[12671]: C121F5F5F146E3BB30: processing time: 8.24 seconds (7.523, 0.243, 0)
Sep 14 10:57:58 mailgateway postfix/lmtp[11592]: 75B5FC1246: to=<dhanesh.k@xyx.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=45, delays=0.9/36/0.05/8.3, dsn=2.5.0, status=sent (250 2.5.0 OK (C121F5F5F146E3BB30))
Sep 14 10:57:58 mailgateway postfix/qmgr[708]: 75B5FC1246: removed
Sep 14 10:57:58 mailgateway postfix/smtp[11378]: 5BC8CC125C: to=<dhanesh.k@xyx.com>, relay=192.168.3.201[192.168.3.201]:25, delay=0.29, delays=0.12/0/0.04/0.13, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0DA6B1096015E)
Sep 14 10:57:58 mailgateway postfix/qmgr[708]: 5BC8CC125C: removed
++++++++++++++++++
++++++++++++++++++
Sep 14 10:57:12 mailgateway postfix/smtpd[9770]: connect from unknown[192.168.3.201]
Sep 14 10:57:13 mailgateway postfix/smtpd[9770]: 75B5FC1246: client=unknown[192.168.3.201]
Sep 14 10:57:13 mailgateway postfix/cleanup[12301]: 75B5FC1246: message-id=<4d6e01d68a64$43910af0$cab320d0$@abcd.com>
Sep 14 10:57:14 mailgateway postfix/smtpd[9770]: disconnect from unknown[192.168.3.201] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
Sep 14 10:57:14 mailgateway postfix/qmgr[708]: 75B5FC1246: from=<dhinil@abcd.com>, size=71000, nrcpt=1 (queue active)
Sep 14 10:57:50 mailgateway pmg-smtp-filter[12671]: C121F5F5F146E3BB30: new mail message-id=<4d6e01d68a64$43910af0$cab320d0$@abcd.com>
Sep 14 10:57:50 mailgateway pmg-smtp-filter[12671]: C121F5F5F146E3BB30: virus detected: Heuristics.OLE2.ContainsMacros (clamav)
Sep 14 10:57:58 mailgateway pmg-smtp-filter[12671]: C121F5F5F146E3BB30: SA score=1/5 time=7.523 bayes=0 autolearn=ham autolearn_force=no hits=ClamAVHeuristics(3),AWL(0.210),BAYES_00(-1.9),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DKIM_VALID_EF(-0.1),HTML_IMAGE_ONLY_32(0.001),HTML_MESSAGE(0.001),RCVD_IN_DNSWL_NONE(-0.0001),RCVD_IN_MSPIKE_H2(-0.001),SPF_HELO_NONE(0.001),URIBL_BLOCKED(0.001)
Sep 14 10:57:58 mailgateway postfix/smtpd[12079]: connect from localhost.localdomain[127.0.0.1]
Sep 14 10:57:58 mailgateway postfix/smtpd[12079]: 5BC8CC125C: client=localhost.localdomain[127.0.0.1], orig_client=unknown[192.168.3.201]
Sep 14 10:57:58 mailgateway postfix/cleanup[12650]: 5BC8CC125C: message-id=<4d6e01d68a64$43910af0$cab320d0$@abcd.com>
Sep 14 10:57:58 mailgateway postfix/qmgr[708]: 5BC8CC125C: from=<dhinil@abcd.com>, size=72381, nrcpt=1 (queue active)
Sep 14 10:57:58 mailgateway postfix/smtpd[12079]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Sep 14 10:57:58 mailgateway pmg-smtp-filter[12671]: C121F5F5F146E3BB30: accept mail to <dhanesh.k@xyx.com> (5BC8CC125C)
Sep 14 10:57:58 mailgateway pmg-smtp-filter[12671]: C121F5F5F146E3BB30: processing time: 8.24 seconds (7.523, 0.243, 0)
Sep 14 10:57:58 mailgateway postfix/lmtp[11592]: 75B5FC1246: to=<dhanesh.k@xyx.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=45, delays=0.9/36/0.05/8.3, dsn=2.5.0, status=sent (250 2.5.0 OK (C121F5F5F146E3BB30))
Sep 14 10:57:58 mailgateway postfix/qmgr[708]: 75B5FC1246: removed
Sep 14 10:57:58 mailgateway postfix/smtp[11378]: 5BC8CC125C: to=<dhanesh.k@xyx.com>, relay=192.168.3.201[192.168.3.201]:25, delay=0.29, delays=0.12/0/0.04/0.13, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 0DA6B1096015E)
Sep 14 10:57:58 mailgateway postfix/qmgr[708]: 5BC8CC125C: removed
++++++++++++++++++
documents with OLE macros are detected by ClamAV as heuristics - and these Heuristic matches are treated as SpamHits in PMG - you can configure how many points they receive in GUI->Configuration->SpamDetector->Heuristic Score.
Turn the score to something higher and adapt your rule system to block or quarantine such mail.
else:
this mail got -1.9 point from your activated bayes filter - if it was indeed a spammail - I would suggest to disable bayes filtering since it changes the result in the wrong direction.
URIBL_BLOCKED indicates that the DNS server configured on your PMG is over quota - consider setting up a resolving nameserver on PMG:
https://pmg.proxmox.com/wiki/index.php/DNS_server_on_Proxmox_Mail_Gateway
https://pmg.proxmox.com/wiki/index.php/Getting_started_with_Proxmox_Mail_Gateway
I hope this helps!