Topic: block mails by attachements pattern

[willdoicu]

Hello,
Last days I have some problem with a pattern which looks like this
UEsDBBQABgAIAAAAIQB+OOx6hwEAAK0FAAATAAgCW0NvbnRlbnRfVHlwZXNdLnhtbCCiBAIooAAC

It's a .docm attachment, it does contain a malicious macro. The problem is the "+" character in the middle of the pattern. If I try to block the hole pattern the server(SME 9.1) it won't. As a result only the characters before the "+" will work, and .xlsx files would be blocked too.
Any ideea?

[warren]

Check this thread  : https://forums.contribs.org/index.php/topic,52217.msg268321.html#msg268321

You can then block files that contain macros ( *.docm ).

I've found that if you have a block for ZIPV1 enabled , then you end up blocking ( *.docx & *.xlsx ) files , as they are basically zip files.

So remove the block for ZIPV1 .

So in server-manager remove : =>E-mail => E-mail settings => Change e-mail filtering settings => Content to block => Zip archive data, at least v1.0 to extract

Then :
Enable the checking / blocking of :  OLE2BlockMacros  via the link above :

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/etc/clamd.conf/
cd /etc/e-smith/templates-custom/etc/clamd.conf/
nano 25OLE2BlockMacros

OLE2BlockMacros yes

Save file and exit.
signal-event post-upgrade
signal-event reboot

[willdoicu]

ZIPV1 is blocked on my server, still .docx and .xlsx can be sent and received.
Ill try to block macros, anyway some of them are detected by clamav with the latest definition update.
Thanks!