Here is no attachment!
macros in.docm are detected
tested are all office versions up to 2013 with ALL possible document
formats.
All XML versions are compressed files - so the ZIP: entry has to be used.
Thomas
Von: K Post <nntp.p...@gmail.com>
An: ASSP development mailing list <assp-test@lists.sourceforge.net>
Datum: 03.11.2016 20:36
Betreff: Re: [Assp-test] Blocking encrypted and/or VBA embedded MS
Office Docs
I'm sorry that you're getting frustrated again with me, but maybe I'm not
being clear? I know that AFC doesn't use the file extension to detect the
mime type. My point is that it's not the newer (2007 I think) word with
macro format - docm.
My tests are showing that with exe-bin in Level 1 (which should detect and
reject VBA macros in office files) that docm (m on the end, meaning its a
newer format Word with macro file) slip through ASSP. I had previously
had docm under Level 1 too and found that renamed docm files came
through. After removing docm as a test, I found that you don't even need
to rename them.
It's as if AFC isn't detecting macros in the newer Word formats. If I
have macros in .doc files (Word 2003 and earlier) they ARE detected,
encrypted or not!
I know how much you despise Office products, so I attached a sample docm
file for your reference.
And last, and only semi-related, can we get an option in AFC to also
reject encrypted office documents (even without macros)? I know macros
will be caught even in encrypted word 2003 and older documents, but it
seems like spammers are trying to slip through spam content and phishing
attempts using encrypted Office docs now too... I wish we could just
block Office documents altogether, but that would all but put this charity
out of business.
On Wed, Nov 2, 2016 at 4:48 PM, Thomas Eckardt <thomas.ecka...@thockar.com
> wrote:
>even if not encrypted seem to slip through.
NO!
I don't want to explain this again and again and again.
ASSP_AFC uses a MIME-type based content detection.
Thomas
Von: K Post <nntp.p...@gmail.com>
An: ASSP development mailing list <assp-test@lists.sourceforge.net>
Datum: 02.11.2016 17:28
Betreff: Re: [Assp-test] Blocking encrypted and/or VBA embedded MS
Office Docs
ASSP_OCR only processes text attachments and PDF - no word documents.
Thomas
Is there a way to scan the content of (unencrypted) office documents for
bad content? Seems like the spammers are heading this route.
Macros are not enrypted (at least the statements checked by AFC) and will
be detected.
If not - provide me a download of such a document.
Attached, please find a Word 2016 document (xml format) that has a macro
and is encrypted. Word has me save it as a docm file. If I attach as
docm is it blocked as expected. But if I rename as .doc the message comes
through assp, macro and all.
Password to decrypt this document is "macro"
The ploy here which I see often now is a message saying that the
attachment contains important info about a bill, an account, whatever.
Then it says that the message is encrypted for security and to use
password ______ to open it. If the user falls for it, there's potential
that they'll run the vba / macro too....
In testing, I also found that renamed docm with macro files, even if not
encrypted seem to slip through. Is the AFC plugin possibly not detecting
docm files based on content and only looking at them by extension?
Thanks
Ken
On Tue, Nov 1, 2016 at 9:37 PM, K Post <nntp.p...@gmail.com> wrote:
Missed that we already had AFC to block vba macros. That is in fact
working great.
However, the new tactic is to send encrypted word documents and put the
password in the email. Those aren't caught, which makes sense - AFC can't
read the file to tell that there's a macro! Can AFC be modified to block
for encrypted office documents?
On Thu, Oct 27, 2016 at 10:19 PM, K Post <nntp.p...@gmail.com> wrote:
With more and more and more attached files slipping through ClamAV's
hands, and the majority of these being either encrypted MS Office
documents or zero day-ish Word documents with VBA embedded, I'm wondering
if ASSP_AFC could be modified to optionally reject/strip/score messages
that are either:
1) Encrypted MS Office documents and/or
2) MS Office documents that contain VBA code.
Related, detect PDF files with Javascript or Flash embedded??
(and Thomas, if you're replying to this, could you also cc me directly so
that I get the reply - gmail is rejecting your DKIM messages that pass
through SourceForge without SRS)
THANKS
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
