Re: [Assp-test] Password Protected "RTF" Files Slipping Through

2016-10-20 Thread Thomas Eckardt
ected documents. But if you want, have a look in to the thread 'custom extension to ASSP_AFC' Thomas Von:K Post <nntp.p...@gmail.com> An: ASSP development mailing list <assp-test@lists.sourceforge.net> Datum: 20.10.2016 02:33 Betreff: Re: [Assp-test] Password Protected &q

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

2016-10-19 Thread Thomas Eckardt
Hmm - OK - and where is the problem? - has AFC not detected doc(xm)? - has AFC not detected MS macros? Thomas Von:Grayhat <gray...@gmx.net> An: assp-test@lists.sourceforge.net Datum: 19.10.2016 14:46 Betreff: Re: [Assp-test] Password Protected "RTF" Files S

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

2016-10-19 Thread Grayhat
:: On Wed, 19 Oct 2016 13:31:55 +0200 :: :: Thomas Eckardt wrote: > 4. I'm unable to password protect RTF files (tried office 2003, XP, > 2013) - password is removed I suspect

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

2016-10-19 Thread Robert K Coffman Jr. -Info From Data Corp.
> 4. I'm unable to password protect RTF files (tried office 2003, XP, 2013) > - password is removed I suspect the .RTF file is simply a renamed .docx. Word opens and recognizes the format and doesn't acknowledge the mismatched extension. - Bob

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

2016-10-19 Thread Thomas Eckardt
emoved 3.and 4 may be possible using another software. It would be nice to have such RTF files. Thomas Von:K Post <nntp.p...@gmail.com> An: ASSP development mailing list <assp-test@lists.sourceforge.net> Datum: 19.10.2016 02:20 Betreff: Re: [Assp-test] Password

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

2016-10-19 Thread Grayhat
:: On Wed, 19 Oct 2016 09:14:44 +0200 :: <20161019091444.5...@gmx.net> :: Grayhat wrote: > Ok for the sigs being up-to-date; but my point was about the "extra" > signatures offered by SaneSecurity, not the regular ones; I found that > the regular signatures are often

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

2016-10-19 Thread Grayhat
:: On Tue, 18 Oct 2016 11:29:44 -0400 :: :: K Post wrote: > > I suppose that, since you're talking (ok, writing) about AFC, you're > > running ClamAV; now... are you using the extra signatures available > >

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

2016-10-18 Thread K Post
Thanks Bob for this research. We should be safe, even if a user opened it here, but yeah, it's possible that we wouldn't be So the question remains, can we get AFC modified to reject encrypted/password protected Office documents - or RTF office files - altogether? The reasoning is the same

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

2016-10-18 Thread Robert K Coffman Jr. -Info From Data Corp.
Ok, thanks to Doug and Ken for sending me a sample. This thing simply installs a Trojan (MBAM calls it "Trojan.Agent.VBS") and then connects to server(s) to download additional Malware, if the user opens it, enters the password (and has a version of Word that recognizes it) and then enables

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

2016-10-18 Thread K Post
We are using up to date clamav sigs. The problem is that these files are encrypted so they're not being detected. On Tue, Oct 18, 2016 at 11:19 AM, Grayhat wrote: > :: On Tue, 18 Oct 2016 10:27:10 -0400 > ::

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

2016-10-18 Thread Grayhat
:: On Tue, 18 Oct 2016 17:19:55 +0200 :: <20161018171955.3...@gmx.net> :: Grayhat wrote: > :: On Tue, 18 Oct 2016 10:27:10 -0400 > :: > :: > K Post wrote: > > > VirusTotal has zero

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

2016-10-18 Thread Doug Lytle
>>> On Oct 18, 2016, at 11:20 AM, K Post nntp.p...@gmail.com wrote: >>> Doug, >>> So you're seeing this too! Did it just start this morning? Yes and that it did. Doug -- Check out the vibrant tech community on one of

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

2016-10-18 Thread Grayhat
:: On Tue, 18 Oct 2016 10:27:10 -0400 :: :: K Post wrote: > VirusTotal has zero hits on the samples that I submitted, but if > they're encrypted, that explains why... I suppose that, since you're talking

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

2016-10-18 Thread Doug Lytle
>>> On Oct 18, 2016, at 11:12 AM, K Post nntp.p...@gmail.com wrote: >>> organizations (some really big ones too) are seeing this on their mail >>> systems this morning too. I took the hammer approach and temporarily put it in the blocked attachment list. Doug

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

2016-10-18 Thread cw
Can you stick it in bombRe for now to deal with it? On Tue, Oct 18, 2016 at 3:50 PM, K Post wrote: > We're getting slammed with these now. All of the files have > uri="http://schemas.microsoft.com/office/2006/keyEncryptor/password;> in > them. Can we block based on

Re: [Assp-test] Password Protected "RTF" Files Slipping Through

2016-10-18 Thread K Post
We're getting slammed with these now. All of the files have http://schemas.microsoft.com/office/2006/keyEncryptor/password;> in them. Can we block based on content of a file?? I'm guessing this is a new Locky, but now encrypted to scanners don't catch them. On Tue, Oct 18, 2016 at 10:27 AM, K