[SOLVED] Virus passing Through

[james_bond]

Hi,
Today our mail system caught a virus that PMG didn't catch:
VIRUS ALERT

Our content checker found
virus: Heuristics.OLE2.ContainsMacros.XLM

in an email to you from probably faked sender:
?@[116.80.12.2]
claiming to be: <info@king-trading.jp>

Content type: Virus
Our internal reference code for your message is 18560-14/BoJsb4Pn_361

It passed from our PMG Server.
Maybe this is something I need to configure (?).

Thanks,

 

[hata_ph]

PMG by default use clamav as it virus scanner.
Can you confirm clamav can detect the virus?

https://virusscan.jotti.org/en-US/scan-file

 

[james_bond]

Hi @hata_ph ,
PMG did not detect it, the mail server behind PMG did it.
I expected PMG to detect it, I even have the securiteinfo.com signatures on it.

Thanks,

 

[hata_ph]

Scan the virus using clamscan in terminal and provide the output.

clamscan -v virusfile

 

[james_bond]

Hi @hata_ph ,
Here's the results:

 clamscan -v 696497340054.xls
Scanning /root/696497340054.xls
/root/696497340054.xls: OK

----------- SCAN SUMMARY -----------
Known viruses: 8617628
Engine version: 0.103.5
Scanned directories: 0
Scanned files: 1
Infected files: 0
Data scanned: 0.20 MB
Data read: 0.07 MB (ratio 3.00:1)
Time: 75.506 sec (1 m 15 s)
Start Date: 2022:06:08 11:41:01
End Date:   2022:06:08 11:42:17

Thanks,

 

[oguz]

Scanned files: 1 Infected files: 0

so ClamAV did not detect the macro and that's why it passed the filter.

if ClamAV does not detect it there's not much you can do... maybe in the mail logs you could see the spam score this mail received and adapt your rules there.

It passed from our PMG Server.
Maybe this is something I need to configure (?).

you can add for example another virus scanner (avast) to PMG [0] which might be more effective.

[0]: https://pmg.proxmox.com/wiki/index.php/Install_Avast

 

[james_bond]

Hi @oguz ,

The mail server uses the same engine (clamav) and detected it.
So the problem is not the virus scanner.

Thanks,

 

[hata_ph]

Hi @oguz ,

The mail server uses the same engine (clamav) and detected it.
So the problem is not the virus scanner.

Thanks,

Are both PMG and mail server use the same clamav virus definition?

 

[james_bond]

Hi @hata_ph ,

PMG:

clamd --version
ClamAV 0.103.5/26566/Wed Jun  8 05:05:45 2022

Email Server:

clamav-0.103.2-1.el7.x86_64

Thanks,

 

[hata_ph]

Show the content of /etc/pmg/templates/freshclam.conf.in or /var/lib/pmg/templates/freshclam.conf.in in your PMG.
Show the content of /var/lib/clamav directory on both PMG and mail server.
Run and output freshclam -v status on both system.

 

[Stoiko Ivanov]

Show the content of /etc/pmg/templates/freshclam.conf.in or /var/lib/pmg/templates/freshclam.conf.in in your PMG

I guess the answer is rather in clamd.conf.in:
the default config we ship does not have :

AlertOLE2Macros true

if you want to get a heuristics match (which in turn will be used by PMG to increase the Spamscore by the Heuristics score - enable it in clamd.conf.in (follow the reference documentation):
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine

I hope this helps!

 

[hata_ph]

I guess the answer is rather in clamd.conf.in:

If not mistaken custom virus definition download for clamav is set on freshclam.conf.cf, right?

 

[james_bond]

AlertOLE2Macros true

if you want to get a heuristics match (which in turn will be used by PMG to increase the Spamscore by the Heuristics score - enable it in clamd.conf.in (follow the reference documentation):
https://pmg.proxmox.com/pmg-docs/pmg-admin-guide.html#pmgconfig_template_engine

Hi @Stoiko Ivanov
This works for me!!! Thank you!
I added and resent the file and it got caught by PMG.

Thank you!!!

 

[Stoiko Ivanov]

If not mistaken custom virus definition download for clamav is set on freshclam.conf.cf, right?

yes - the additional signatures are in freshclam.conf(.in) - but I assumed that the issue is with the clamAV setting for AlertOLE2Macros

 

[Stoiko Ivanov]

This works for me!!! Thank you!
I added and resent the file and it got caught by PMG.

glad that we found the issue - please mark the thread as 'SOLVED' (this helps other who also run into this question)

 

[hata_ph]

yes - the additional signatures are in freshclam.conf(.in) - but I assumed that the issue is with the clamAV setting for AlertOLE2Macros

Shouldn't that option come enable by default or allow to toggle on/off in the webUI?

https://manpages.debian.org/experimental/clamav-daemon/clamd.conf.5.en.html

 

[james_bond]

Hi,

This is right way to do it:
mkdir /etc/pmg/templates/ cp /var/lib/pmg/templates/clamd.conf.in /etc/pmg/templates/ Edit /etc/pmg/templates/clamd.conf.in Add to the end of the file: OLE2BlockMacros yes
Restart the service:
systemctl restart clamav-daemon.service

Thanks,

 

[Shotgun Teddy]

Hello, I was having the same issue an XLS file containing a virus via macros was allowed through our PMG. Fortunately our secondary AV and AV Outlook plugin detected it and blocked it. I followed the instructions in this forum and now CLAMAV detects it as a virus but it still allows it through and is delivered?!

Nov 9 13:34:17 mailgate postfix/smtpd[3567445]: connect from mail.server.tld[192.178.2.3]
Nov 9 13:34:18 mailgate postfix/smtpd[3567445]: Anonymous TLS connection established from mail.server.tld[192.178.2.3]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
Nov 9 13:34:18 mailgate postfix/smtpd[3567445]: NOQUEUE: client=mail.server.tld[192.178.2.3]
Nov 9 13:34:18 mailgate pmg-smtp-filter[3566792]: 1A1D52654CD1CA700DF: new mail message-id=<000201da1309$0c22c690$246853b0$@domain.com>#012
Nov 9 13:34:18 mailgate pmg-smtp-filter[3566792]: 1A1D52654CD1CA700DF: virus detected: Heuristics.OLE2.ContainsMacros.VBA (clamav)
Nov 9 13:34:18 mailgate postfix/smtpd[3566362]: connect from localhost.localdomain[127.0.0.1]
Nov 9 13:34:18 mailgate postfix/smtpd[3566362]: CEF6FE1209: client=localhost.localdomain[127.0.0.1], orig_client=mail.server.tld[192.178.2.3]
Nov 9 13:34:18 mailgate postfix/cleanup[3566363]: CEF6FE1209: message-id=<000201da1309$0c22c690$246853b0$@domain.com>
Nov 9 13:34:19 mailgate postfix/qmgr[1799800]: CEF6FE1209: from=<marcus@domain.com>, size=1793504, nrcpt=1 (queue active)
Nov 9 13:34:19 mailgate pmg-smtp-filter[3566792]: 1A1D52654CD1CA700DF: accept mail to <user@testdomain.tld> (CEF6FE1209) (rule: default-accept)
Nov 9 13:34:19 mailgate postfix/smtpd[3566362]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Nov 9 13:34:19 mailgate postfix/smtp[3566787]: Trusted TLS connection established to 172.60.3.4[172.60.3.4]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)
Nov 9 13:34:19 mailgate pmg-smtp-filter[3566792]: 1A1D52654CD1CA700DF: processing time: 0.548 seconds (0, 0.19, 0)
Nov 9 13:34:19 mailgate postfix/smtpd[3567445]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (1A1D52654CD1CA700DF); from=<marcus@domain.com> to=<user@testdomain.tld> proto=ESMTP helo=<mail.domain.com>
Nov 9 13:34:19 mailgate postfix/smtpd[3567445]: disconnect from mail.server.tld[192.178.2.3] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
Nov 9 13:34:19 mailgate postfix/smtp[3566787]: CEF6FE1209: to=<user@testdomain.tld>, relay=172.60.3.4[172.60.3.4]:25, delay=0.6, delays=0.21/0/0.06/0.33, dsn=2.6.0, status=sent (250 2.6.0 <000201da1309$0c22c690$246853b0$@domain.com> [InternalId=135909945114789, Hostname=srvex2013.adriacongrex.it] Queued mail for delivery)
Nov 9 13:34:19 mailgate postfix/qmgr[1799800]: CEF6FE1209: removed

I inserted the following parameters into the /var/lib/pmg/templates/clamd.conf.in
AlertOLE2Macros true
OLE2BlockMacros yes
I then wrote the changes via the command
pmgconfig sync --restart 1

After this, it finally shows the log above, that is it shows it as a virus, however it isn't blocking the mail or removing the attachment. What am I missing?

Thank you.