[Rspamd-Users] Another question regarding oletools
Carsten Rosenberg
cr at ncxs.de
Tue Jul 9 17:42:56 UTC 2019
Hey,
We have an issue with the delayed_scan mode and postfilter symbols here.
You stay with delayed_scan (oletools will only be called if the score is
between 0 and 2*reject_score) using composites:
OLETOOLS_C {
expression = "OLETOOLS";
score = 15.0;
}
Or you disable delayed_scan using
delayed_scan = false;
symbol_type = "normal";
in the oletools block in external_services.conf
--
Carsten
On 09.07.19 12:03, Thomas Plant via Users wrote:
> Hi,
>
> I have another question about oletools. I do not get any score when
> oletools discovers something bad in an office document. Shouldn't it
> assign a score > 1 for the example below? In the rspamd symbols I see
> the following:
>
> OLETOOLS(0.00){AutoExec + Suspicious (Workbook_Open,Shell,Chr);}
>
> And in local.d/external_services_group.conf I have:
>
> symbols = {
> "OLETOOLS" {
> weight = 1.1;
> description = "OLETOOLS found a Macro";
> }
> }
>
> What am I getting wrong?
>
> Greetings,
> Thomas
>
More information about the Users
mailing list