There is no "killswitch" for the locky virus detection.
The only way to detect these viruses is the check for :
'string.prototype.' and 'charAt' in JS code. Both statements should be
never used in an email.
If you want those mails to be passed by ASSP_AFC, you need to switch off
the 'exe-bin' detection completely for all or specific addresses/domains..
Thomas
Von: "Robert K Coffman Jr. -Info From Data Corp."
<bcoff...@infofromdata.com>
An: assp-test@lists.sourceforge.net
Datum: 28.07.2017 16:23
Betreff: Re: [Assp-test] Attachment from "good" list blocked
The code in ASSP_AFC looks like it looks for the :CSC exception and runs
if it doesn't find it - maybe?
I added that exception to the userattach for the affected domain, but it
is still being blocked. Anyone know if this syntax is right and if the
code is doing what I think it is?
*@huntington.com => good => txt|pdf|htm|html|png|jpg|gif|doc|docx ,
block =>
ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|exe\-bin|:CSC|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|ps1?|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh]
The "locky" message is being logged for these blocks. The attachments
are html and apparently contain some code that ASSP_AFC doesn't like.
- Bob
On 7/27/2017 1:36 PM, Robert K Coffman Jr. -Info From Data Corp. wrote:
> I didn't define it - it is hardcoded in ASSP_AFC (in my case, 4.55).
> Part of setting up ASSP_AFC is configuring userattach, which was done
> but it looks like in this case it isn't being respected.
>
> - Bob
>
> On 7/27/2017 11:39 AM, Grayhat wrote:
>> :: On Tue, 18 Jul 2017 11:58:09 -0400
>> :: <c6cd197c-3138-909c-f75f-bec324836...@infofromdata.com>
>> :: "Robert K Coffman Jr. -Info From Data Corp."
>> <bcoff...@infofromdata.com> wrote:
>>
>>> https://pastebin.com/NKPYnZsD
>>>
>>>
>>> I have UserAttach set up for huntington.com (see bottom of the paste)
>>> but their html attachments are still being blocked. Why is that?
>>
>> Jul-18-17 09:58:09 m1-86288-10388 [Worker_1] [TLS-in] [Attachment]
>> 170.128.35.52 <some....@huntington.com> to:
>> usern...@hyperglobalmega.com SPAM FOUND bad attachment
>> 'securedoc_20170718T095806.html' cause: 'Java script - possibly locky
>> (ransomware) virus'
>>
>> check out where you defined that "possibly locky..." message and you'll
>> find what's blocking the mail
>>
>>
------------------------------------------------------------------------------
>>
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>>
>
>
>
------------------------------------------------------------------------------
>
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
