circling back on this. Please advise.
On Thu, Nov 3, 2016 at 8:50 PM, K Post <nntp.p...@gmail.com> wrote:
> I think you've found the problem with my setup then!! Thank you for
> sticking with me.
> ----All XML versions are compressed files - so the ZIP: entry has to be
> used.
> I knew that the newer office documents are XML and compressed, but I
> didn't know that ASSP wasn't detecting them without specifically being told
> to in UserAttach. The gui talks about blocking ms office vba with exe-bin,
> and I assumed that applied to all office documents, not just those from
> 2007 or older. Am I understanding you correctly?
>
> (I also assume that my docm file wasn't just rejected from your email
> server because you have docm in Level 1 or something? -- that's how I was
> previously blocking these files, not with the mime detection, just straight
> file extension matching).
>
> I'm also worried that despite having exe\-bin and DLL in level one, that
> if I send myself a standard windows dll file, it comes through. I wonder
> if this could be something with the Windows perl libraries not working, me
> not understanding, or another misconfiguration.
>
> Would you mind terribly posting what your zip: line that's applied to
> general users looks like from UserAttach or some more examples? I'm
> thinking something like:
> zip:*@* => block => [[ exactly what I currently have in Level 1 ]]
> Does that make sense or am I off base?
>
> Another question
> We have one user who has to be able to send encrypted zip files out, we
> currently have this line in UserAttach:
> zip:l...@ourcharity.org => good-out => *|crypt\-zip
>
> If I add the zip: line that block in and out my level 1/2 setting for *@*,
> how does that combine with the line for Lisa directly above. I read that
> it uses OR logic, but how does
> For everyone, block zips that contain any level 1 blocked file including
> exe content, block encrypted zips for all, OR allow any outbound zip
> including encrypted ones for Lisa only
> actually work? ASSP is being told to block zips with exe content OR
> allow exe zips for Lisa. Block always wins right? If that's the case, how
> could we block all this bad stuff, block encrypted zips, but allow them for
> Lisa only??
>
>
> Thanks again.
>
>
>
>
> On Thu, Nov 3, 2016 at 5:29 PM, Thomas Eckardt <thomas.ecka...@thockar.com
> > wrote:
>
>> Here is no attachment!
>> macros in.docm are detected
>> tested are all office versions up to 2013 with ALL possible document
>> formats.
>>
>> All XML versions are compressed files - so the ZIP: entry has to be used.
>>
>> Thomas
>>
>>
>>
>>
>>
>> Von: K Post <nntp.p...@gmail.com>
>> An: ASSP development mailing list <assp-test@lists.sourceforge.net
>> >
>> Datum: 03.11.2016 20:36
>> Betreff: Re: [Assp-test] Blocking encrypted and/or VBA embedded
>> MS Office Docs
>> ------------------------------
>>
>>
>>
>> I'm sorry that you're getting frustrated again with me, but maybe I'm not
>> being clear? I know that AFC doesn't use the file extension to detect the
>> mime type. My point is that it's not the newer (2007 I think) word with
>> macro format - docm.
>>
>> My tests are showing that with exe-bin in Level 1 (which should detect
>> and reject VBA macros in office files) that docm (m on the end, meaning its
>> a newer format Word with macro file) slip through ASSP. I had previously
>> had docm under Level 1 too and found that renamed docm files came through.
>> After removing docm as a test, I found that you don't even need to rename
>> them.
>>
>> It's as if AFC isn't detecting macros in the newer Word formats. If I
>> have macros in .doc files (Word 2003 and earlier) they ARE detected,
>> encrypted or not!
>>
>> I know how much you despise Office products, so I attached a sample docm
>> file for your reference.
>>
>> And last, and only semi-related, can we get an option in AFC to also
>> reject encrypted office documents (even without macros)? I know macros
>> will be caught even in encrypted word 2003 and older documents, but it
>> seems like spammers are trying to slip through spam content and phishing
>> attempts using encrypted Office docs now too... I wish we could just
>> block Office documents altogether, but that would all but put this charity
>> out of business.
>>
>>
>> On Wed, Nov 2, 2016 at 4:48 PM, Thomas Eckardt <
>> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
>> >even if not encrypted seem to slip through.
>>
>> NO!
>>
>> I don't want to explain this again and again and again.
>>
>> ASSP_AFC uses a MIME-type based content detection.
>>
>> Thomas
>>
>>
>>
>>
>>
>> Von: K Post <*nntp.p...@gmail.com* <nntp.p...@gmail.com>>
>> An: ASSP development mailing list <
>> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>>
>> Datum: 02.11.2016 17:28
>> Betreff: Re: [Assp-test] Blocking encrypted and/or VBA embedded
>> MS Office Docs
>> ------------------------------
>>
>>
>>
>>
>> ASSP_OCR only processes text attachments and PDF - no word documents.
>>
>> Thomas
>>
>> Is there a way to scan the content of (unencrypted) office documents for
>> bad content? Seems like the spammers are heading this route.
>>
>> Macros are not enrypted (at least the statements checked by AFC) and will
>> be detected.
>> If not - provide me a download of such a document.
>>
>> Attached, please find a Word 2016 document (xml format) that has a macro
>> and is encrypted. Word has me save it as a docm file. If I attach as docm
>> is it blocked as expected. But if I rename as .doc the message comes
>> through assp, macro and all.
>>
>> Password to decrypt this document is "macro"
>>
>> The ploy here which I see often now is a message saying that the
>> attachment contains important info about a bill, an account, whatever. Then
>> it says that the message is encrypted for security and to use password
>> ______ to open it. If the user falls for it, there's potential that
>> they'll run the vba / macro too....
>>
>>
>> In testing, I also found that renamed docm with macro files, even if not
>> encrypted seem to slip through. Is the AFC plugin possibly not detecting
>> docm files based on content and only looking at them by extension?
>>
>> Thanks
>> Ken
>>
>>
>>
>>
>> On Tue, Nov 1, 2016 at 9:37 PM, K Post <*nntp.p...@gmail.com*
>> <nntp.p...@gmail.com>> wrote:
>> Missed that we already had AFC to block vba macros. That is in fact
>> working great.
>>
>> However, the new tactic is to send *encrypted* word documents and put
>> the password in the email. Those aren't caught, which makes sense - AFC
>> can't read the file to tell that there's a macro! Can AFC be modified to
>> block for encrypted office documents?
>>
>>
>> On Thu, Oct 27, 2016 at 10:19 PM, K Post <*nntp.p...@gmail.com*
>> <nntp.p...@gmail.com>> wrote:
>> With more and more and more attached files slipping through ClamAV's
>> hands, and the majority of these being either encrypted MS Office documents
>> or zero day-ish Word documents with VBA embedded, I'm wondering if ASSP_AFC
>> could be modified to optionally reject/strip/score messages that are
>> either:
>> 1) Encrypted MS Office documents and/or
>> 2) MS Office documents that contain VBA code.
>>
>> Related, detect PDF files with Javascript or Flash embedded??
>>
>> (and Thomas, if you're replying to this, could you also cc me directly so
>> that I get the reply - gmail is rejecting your DKIM messages that pass
>> through SourceForge without SRS)
>>
>> THANKS
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Developer Access Program for Intel Xeon Phi Processors
>> Access to Intel Xeon Phi processor-based developer platforms.
>> With one year of Intel Parallel Studio XE.
>> Training and support from Colfax.
>> Order your platform today. *http://sdm.link/xeonphi*
>> <http://sdm.link/xeonphi>_______________________________________________
>> Assp-test mailing list
>> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
>> *https://lists.sourceforge.net/lists/listinfo/assp-test*
>> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>>
>>
>>
>>
>> DISCLAIMER:
>> *******************************************************
>> This email and any files transmitted with it may be confidential, legally
>> privileged and protected in law and are intended solely for the use of the
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> *******************************************************
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Developer Access Program for Intel Xeon Phi Processors
>> Access to Intel Xeon Phi processor-based developer platforms.
>> With one year of Intel Parallel Studio XE.
>> Training and support from Colfax.
>> Order your platform today. *http://sdm.link/xeonphi*
>> <http://sdm.link/xeonphi>
>> _______________________________________________
>> Assp-test mailing list
>> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
>> *https://lists.sourceforge.net/lists/listinfo/assp-test*
>> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>>
>> ------------------------------------------------------------
>> ------------------
>> Developer Access Program for Intel Xeon Phi Processors
>> Access to Intel Xeon Phi processor-based developer platforms.
>> With one year of Intel Parallel Studio XE.
>> Training and support from Colfax.
>> Order your platform today. http://sdm.link/xeonphi_______
>> ________________________________________
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>>
>>
>>
>> DISCLAIMER:
>> *******************************************************
>> This email and any files transmitted with it may be confidential, legally
>> privileged and protected in law and are intended solely for the use of the
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> *******************************************************
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Developer Access Program for Intel Xeon Phi Processors
>> Access to Intel Xeon Phi processor-based developer platforms.
>> With one year of Intel Parallel Studio XE.
>> Training and support from Colfax.
>> Order your platform today. http://sdm.link/xeonphi
>> _______________________________________________
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>>
>
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
