[Mimedefang] [External] MS Office document macros

Vieri Di Paola vieridipaola at gmail.com
Sun Jan 26 10:10:43 EST 2020


On Sat, Jan 25, 2020 at 12:57 AM Kevin A. McGrail <kmcgrail at pccc.com> wrote:
> I'd suggest you look at SpamAssassin's new OLEVBMacro plugin with
> 3.4.3.

Nice to know spamassassin can block malicious macros in Office documents.

However, I'm not sure why it's not working for me.

I have v. 3.4.3.

# grep -r OLE /etc/mail/*
/etc/mail/spamassassin/v343.pre:# OLEVBMacro - Detects both OLE macros
and VB code inside Office documents
/etc/mail/spamassassin/v343.pre:loadplugin
Mail::SpamAssassin::Plugin::OLEVBMacro

# spamassassin -t t/data/spam/olevbmacro/malicemacro.eml
outputs "...has NOT identified this incoming email as spam..."

Likewise, the mimedefang code below does not trigger a spam notification:

        my($hits, $req, $names, $report) = spam_assassin_check();
        my($score);
        if ($hits < 40) {
        $score = "*" x int($hits);
        } else {
        $score = "*" x 40;
        }

In any case, I have a doc file with a malicious macro. I confirmed it
through Trendmicro Antivirus and Google Gmail (both detect this file
as containing a virus, supposedly EMOTET, but I haven't seen the
Trendmicro log yet to confirm).

I have an updated clamav engine with updated signatures. I even
regularly download extra signturs from
https://urlhaus.abuse.ch/downloads/urlhaus.ndb.
I tried running "clamscan my_doc_file", but ClamAV keeps reporting that it's OK.

Finally, I'm wondering if Mail::SpamAssassin::Plugin::OLEVBMacro can
block/"mark as spam" all those messages that contain an attached
Office file with macros, whether it's malicious or not. I know it's a
harsh policy, but given the fact that my ClamAV installation is unable
to detect a virus when there's supposed to be one, I'd rather go that
route.

Vieri



More information about the MIMEDefang mailing list