Detecting macro from office documents

F

f4242

Well-Known Member
Proxmox Subscriber
Dec 19, 2016
101
4
58
Quebec, QC
Hello,

On my current mail server, I manually configured amavis over the years. I block newer macro-enabled office documents (.docm, xlsm...) and I also block older office documents (.doc, .xls...) ONLY IF they contain macro.

With PMG, I can easily block mail if they contain newer macro-enabled documents, but I can't block mail if they contain older documents. Blocking every .doc or .xls document is not acceptable.

With my current Amavis configuration I added this:
Code: 
push @av_scanners, ['Detect-VBA',
   '/usr/local/bin/detectvba.pl', "{}",
      [0], qr/BANNED/, qr/\bBANNED (.+)\b/m ];

The file detectvba.pl come from https://github.com/technion/maia_mailguard/blob/master/scripts/detectvba.pl. I personally modified it to replace "infected" by "banned" in order to avoid users to panic when they receive legitimate file that contain macros.

Is it a feature you consider to add?

Thank you!
 
Hello,

An user asked me in PM how I did. I will leave my notes here.

Create template /etc/pmg/templates/clamd.conf.in from /var/lib/pmg/templates/clamd.conf.in.

Open the template file and add theses lines:
OLE2BlockMacros true
DetectPUA true

Comment this line:
#DetectPUA false

Apply this patch:
Code: 
--- /usr/bin/pmg-smtp-filter.orig    2018-03-29 14:13:11.147862186 -0400
+++ /usr/bin/pmg-smtp-filter    2018-03-29 14:13:30.951780540 -0400
@@ -674,8 +674,8 @@
    # test for virus first
    my $vinfo = PMG::Utils::analyze_virus(
        $queue, $queue->{dataname}, $pmg_cfg, $opt_testmode);
-
-    if ($vinfo && $vinfo =~ m/^Heuristics\.(.+)$/) {
+    #if ($vinfo && $vinfo =~ m/^Heuristics\.(.+)$/) {
+    if ($vinfo && $vinfo =~ m/^Heuristics\.(.+)$/ && $vinfo !~ m/^Heuristics\.OLE2\.ContainsMacros/) {
        my $hit = $1;
        $queue->{clamav_heuristic} = $hit;
        $vinfo = undef;

The patch should be executed again after each PMG updates.
 
  • Like
Reactions: killmasta93
f4242 said:
Hello,

An user asked me in PM how I did. I will leave my notes here.

Create template /etc/pmg/templates/clamd.conf.in from /var/lib/pmg/templates/clamd.conf.in.

Open the template file and add theses lines:
OLE2BlockMacros true
DetectPUA true

Comment this line:
#DetectPUA false

Apply this patch:
Code: 
--- /usr/bin/pmg-smtp-filter.orig    2018-03-29 14:13:11.147862186 -0400
+++ /usr/bin/pmg-smtp-filter    2018-03-29 14:13:30.951780540 -0400
@@ -674,8 +674,8 @@
    # test for virus first
    my $vinfo = PMG::Utils::analyze_virus(
        $queue, $queue->{dataname}, $pmg_cfg, $opt_testmode);
-
-    if ($vinfo && $vinfo =~ m/^Heuristics\.(.+)$/) {
+    #if ($vinfo && $vinfo =~ m/^Heuristics\.(.+)$/) {
+    if ($vinfo && $vinfo =~ m/^Heuristics\.(.+)$/ && $vinfo !~ m/^Heuristics\.OLE2\.ContainsMacros/) {
        my $hit = $1;
        $queue->{clamav_heuristic} = $hit;
        $vinfo = undef;

The patch should be executed again after each PMG updates.
Click to expand...
Thanks for the update, as for the patch, would that be a bash script?
 
i have 3 pmg 6.2.3 installations.
it works on 1 pmg (it was an upgrade from 6.0
the other two was a new installation with 6.2, i think
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back