Plugins/file_types.txt got an update on CVS - RTF file detection is added
ASSP _AFC.pm 4.39 is released on CVS
lib/CorrectASSPcfg.pm got an update on CVS
.........
# use this sub to expand the executable detection of the ASSP_AFC Plugin V
4.39 and higher
#
# INPUT:
# $self - the ASSP_AFC OO object for the mail
# $skip - the possible setting to skip some executable detections
(:WIN,:MSOM,MAC)
# $buff64 - the reference to a sring, that contains the first 64 byte of
the attachment
# $full - the reference to a string, that contains the full attachment
#
# OUTPUT:
# $type - contains an executable description if detected, otherwise it
must be undef
#
#sub AFC_Executable_Detection {
# my ($self, $skip, $buf64 , $full) = @_;
# my $type;
# ...
# do your stuff here, and set $type to a value, if an executable is
detected - otherwise leave $type at undef
# for example:
# $type = 'RTF file' if $skip !~ /:RTF/ && $$buf64 =~ /^\{\\rtf1\\/i;
# ...
# return $type;
#}
......
ASSP _AFC.pm 4.39 calls this sub, if it is available (defined). If a type
is returned in $type by this sub, the configured action (block the mail or
replace the MIME part) will be used.
This function can be abused,to detect any dangerous file by its content -
even it is not a direct executable.
for example:
$type = 'MS Office enrypted or password protected document' if ($skip !~
/:ENCDOC/ && $$buf64 =~ /^\xd0\xcf\x11\xe0/ && $$full =~
/\x00E\x00n\x00c\x00r\x00y\x00p\x00t\x00e\x00d\x00P\x00a\x00c\x00k\x00a\x00g\x00e|\x00C\x00r\x00y\x00p\x00t\x00o\x00g\x00r\x00a\x00p\x00h\x00i\x00c/);
The regex to $$buf64 detects a MS-Office document - the later searchs for
UTF16 encoded (EncryptedPackage|Cryptographic) in the complete document
EncryptedPackage - is used in MSO 2007 and newer versions
Cryptographic - is used in older versions of MS-Office
OpenOffice may use different tags!
Thomas
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
