[Rspamd-Users] rspamd 1.79 and clamav
Carsten Rosenberg
cr at ncxs.de
Thu Nov 15 14:49:08 UTC 2018
ClamAV has a heuristic detection for Office Macros:
patterns {
# symbol_name = "pattern";
CLAM_JUST_EICAR = "^Eicar-Test-Signature$";
CLAM_OLE2_VBA_MACRO = "^Heuristics\.OLE2\.ContainsMacros$";
}
And add ScanOLE2 true to clamd config + set a score for
CLAM_OLE2_VBA_MACRO. This is no bullet proof detection, but maybe help.
--
Carsten
On 15.11.18 12:48, Markus Rosjat wrote:
> Hi again,
>
> Am 14.11.2018 um 12:30 schrieb Markus Rosjat:
>> Hi all,
>>
>> i try to use clamav with rspamd and put the antivirus.conf in
>> override.d with following content:
>>
>> clamav {
>> attachments_only = false;
>> symbol = "CLAM_VIRUS";
>> type = "clamav";
>> action = "reject";
>> servers = "/var/run/clamav/clamd.socket";
>> patterns {
>> JUST_EICAR = '^Eicar-Test-Signature$';
>> }
>> whitelist = "/etc/rspamd/white/antivirus.map";
>> }
>>
>> when I do a test with a eicar sig the mail gets rejected and I see it
>> ust the JUST_EICAR pattern.
>> But if I actually try to a deliver a mail with a doc that is clearly
>> not clean it seems rspamd doesnt seem to care.
>> So question is do I need to add more patterns or is there something I
>> miss in general?
>>
>> regards
>>
>
> it seems after I also installed sanesecurity sigs clamav is doing its
> work at least I can see some results in the logs
>
> regards
>
More information about the Users
mailing list