Logout

Alt-N Discussion Groups > MDaemon Discussion Groups > MDaemon Anti-virus Plug-in > AV option (Cyren) "Flag attachments with documents that contain macros as virus"

 [F] Alt-N Discussion Groups  / MDaemon Discussion Groups  / MDaemon Anti-virus Plug-in  /

AV option (Cyren) "Flag attachments with documents that contain macros as virus"

Hi everyone

Tried to access Discussion Groups over the weekend, no luck. Also, got a
couple of AV Update Failed messages. Hope everything is sorted out now.

I was wondering if there is a way to get some more control over Cyren AV
option "Flag attachments with documents that contain macros as virus"?
It seems to, sometime, reject messages (seemingly) indiscriminately. Not
quarantine, but reject. For example, attached, (safe) test.xlsm was
rejected with this option on (sent from outside, GMail, account). With
"Flag attachments..." turned off, message passes, no problem.

We do see increased number of incoming macro exploiting malware and this
feature is useful. But at the same time, we have legitimate macro
containing documents which need to be let to pass through (AV scanned,
of course).

Is there a way to regulate this with some more precision?
Whitelist by sender or something like that. Or, at least, get it not to
reject message, but route it to quarantine/bad/holding queue (my AV
settings -> "When viruses are detected..." -> "...quarantine the entire
message to..")?

Regards

Attachments:

test.xlsm (12 KB)


  (older msg: 6)All MessagesOldest ItemsOlder ItemsNewer ItemsNewest Items

Aleksandar Devecerski - Apr 13, 2021 4:49 am (#7 Total: 8)  

 

Photo of Author
Aleksandar Deve…
Newbie
Newbie
Posts: 60
This option is good, no doubt about it, and I've been trying to keep it
enabled, but it is definitely too much trouble for me (the same is
applicable for ClamAVs option "AlertOLE2Macros"). I simply have to allow
some macro enabled documents through.

As it is, incoming messages flagged by these options wind up in
Quarantine queue and, after verifying, I release them to the recipients.
Adding approved remote users to the AntiVirus FROM exclusions resolves
need even for this.

Outgoing messages are much bigger issue. Attachments can be retrieved
from received messages, but if local user tries to reply or forward
(still containing those documents) Outlook refuses to send or even save
the message at all (some "no access" type message).
If I add local user(s) to the AntiVirus FROM exclusions they are able to
prepare/send messages containing documents with macros, but these
messages are not saved in their Sent Items.

Of course, problem with adding user(s) to AntiVirus exclusions is that
they are then excluded from AV control completely, not only for messages
with attached macro enabled documents. So potentially, if hacker faking
ID of excluded user tries to send something to us, especially if I
exclude complete remote domain (I don't know who might send us
legitimate macro enabled order or annual plan template or... whatever)
message will just go through completely unchecked.

I guess some elaborate CF rules work could handle this with elevated
degree of control, but I'm not exactly sure how to implement that. So,
I'm afraid it's back to "Flag attachments with documents that contain
macros as virus" -> OFF and "AlertOLE2Macros" -> NO for us.

BTW, we have Cyren AV heuristic level set to 5 (highest). Is there some
document describing different heuristic levels? I haven't been able to
find anything on the Net.


On 24.11.2020 16:46, Arron.Caruth@mdaemon.com (Arron Caruth) wrote:
> At this time there are no options to have more control over the option for "flag attachments with documents that contain macros as virus."
>
> Xlsm is the extension used by Excel to save documents that contain macros. I would expect any XLSM file to contain macros and to be flagged as a virus if you have the option enabled to flag documents that contain macros.
>
> I'll add your request to the wish list to be considered for future versions.
>
> --
> Arron Caruth
> Vice President of Product Development
> o: 817-601-3222 e: Arron.Caruth@mdaemon.com
>
> MDaemon Technologies
> Simple Secure Email
> Visit us on www.mdaemon.com | Facebook | LinkedIn | YouTube
> Sent using the MDaemon Email Server

Arron Caruth - Apr 13, 2021 8:28 am (#8 Total: 8)  

Guest User  

Photo of Author
Posts: 1
 
>If I add local user(s) to the AntiVirus FROM exclusions they are able to
>prepare/send messages containing documents with macros, but these
>messages are not saved in their Sent Items.
 
I ran some tests and found that IMAP sessions are not honoring the AV exclusions.  We'll look at improving it for future versions.
 
>BTW, we have Cyren AV heuristic level set to 5 (highest). Is there some
>document describing different heuristic levels? I haven't been able to
>find anything on the Net.
 
0 indicates all heuristics disabled and 5 indicates the highest heuristic level. If you use -1 then it will automatically pick a sensible default. The default will be controlled through the definition files as will the precise meaning of the specific heuristic levels.
 
--
Arron Caruth
Vice President of Product Development
o: 817-601-3222    e: Arron.Caruth@mdaemon.com

MDaemon Technologies
Simple Secure Email
Visit us on www.mdaemon.com | Facebook | LinkedIn | YouTube
Sent using the MDaemon Email Server
 
On Tue, 13 Apr 2021 04:49:21 -0500, "lists-md-anti-virus@mdaemon.com (Aleksandar Devecerski)" <lists-md-anti-virus@mdaemon.com> wrote:
This option is good, no doubt about it, and I've been trying to keep it
enabled, but it is definitely too much trouble for me (the same is
applicable for ClamAVs option "AlertOLE2Macros"). I simply have to allow
some macro enabled documents through.

As it is, incoming messages flagged by these options wind up in
Quarantine queue and, after verifying, I release them to the recipients.
Adding approved remote users to the AntiVirus FROM exclusions resolves
need even for this.

Outgoing messages are much bigger issue. Attachments can be retrieved
from received messages, but if local user tries to reply or forward
(still containing those documents) Outlook refuses to send or even save
the message at all (some "no access" type message).
If I add local user(s) to the AntiVirus FROM exclusions they are able to
prepare/send messages containing documents with macros, but these
messages are not saved in their Sent Items.

Of course, problem with adding user(s) to AntiVirus exclusions is that
they are then excluded from AV control completely, not only for messages
with attached macro enabled documents. So potentially, if hacker faking
ID of excluded user tries to send something to us, especially if I
exclude complete remote domain (I don't know who might send us
legitimate macro enabled order or annual plan template or... whatever)
message will just go through completely unchecked.

I guess some elaborate CF rules work could handle this with elevated
degree of control, but I'm not exactly sure how to implement that. So,
I'm afraid it's back to "Flag attachments with documents that contain
macros as virus" -> OFF and "AlertOLE2Macros" -> NO for us.

BTW, we have Cyren AV heuristic level set to 5 (highest). Is there some
document describing different heuristic levels? I haven't been able to
find anything on the Net.


On 24.11.2020 16:46, Arron.Caruth@mdaemon.com (Arron Caruth) wrote:
> At this time there are no options to have more control over the option for "flag attachments with documents that contain macros as virus."
>
> Xlsm is the extension used by Excel to save documents that contain macros.  I would expect any XLSM file to contain macros and to be flagged as a virus if you have the option enabled to flag documents that contain macros.
>
> I'll add your request to the wish list to be considered for future versions.
>
> --
> Arron  Caruth
> Vice President of Product Development
> o: 817-601-3222    e: Arron.Caruth@mdaemon.com
>
> MDaemon Technologies
> Simple Secure Email
> Visit us on www.mdaemon.com | Facebook | LinkedIn | YouTube
> Sent using the MDaemon Email Server


------------------------------------------------------
View/reply at <http://lists.altn.com/WebX?13@@.598638bf/6>

--MD-AV-PLUGIN-------------------------------------------------------
This list is for questions and discussion about AntiVirus plugins for
MDAEMON. To unsubscribe from this mailing list send an email to
md-av-plugin-unsubscribe@mdaemon.com .
--POWERED BY MDAEMON!------------------------------------------------

---------------------------------------------------------------------
These forums are provided by MDaemon Technologies for user-to-user
support and discussion.  MDaemon staff members may participate in the
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical
support please use the form here:
http://www.mdaemon.com/Support/RequestSupport/
---------------------------------------------------------------------

--MD-AV-PLUGIN-------------------------------------------------------
This list is for questions and discussion about AntiVirus plugins for
MDAEMON. To unsubscribe from this mailing list send an email to
md-av-plugin-unsubscribe@mdaemon.com .
--POWERED BY MDAEMON!------------------------------------------------

---------------------------------------------------------------------
These forums are provided by MDaemon Technologies for user-to-user
support and discussion.  MDaemon staff members may participate in the
forums periodically but please recognize that this is not the official
method of receiving technical support. To receive personal technical
support please use the form here:
http://www.mdaemon.com/Support/RequestSupport/
---------------------------------------------------------------------



  All MessagesOldest ItemsOlder ItemsNewer ItemsNewest Items



 Content:

Read New | Search

 Guest:

Email to Admin



You are visiting as a Guest user.