>If that's correct Yes, this way it is working. Because there is no executable check made for 'good=>....' rules, it's only possible to make exception in the 'block=>...' rules.
>Can you clarify syntax a little for me? Let's say you want to block all (also compressed) executables for all users of a domain, except one single user 'j...@domain.org' , which should be able to receive MS office macros in compressed files only. And the IT department, defined in the user group [IT] , which should be able to receive every attachment. *@domain.org=>block=>exe-bin [IT]=>good=>.* zip:*@domain.org=>block=>exe-bin zip:[IT]=>good=>.* zip:j...@domain.org=>block=>exe-bin|:MSOM this example is wrong : zip:u...@domain.org=>block=>exe-bin, good=>:MSOM ':MSOM' has to be defined as an exception of 'exe-bin' in the blocking rule - shown in the first example. Thomas Von: K Post <nntp.p...@gmail.com> An: ASSP development mailing list <assp-test@lists.sourceforge.net> Datum: 02.09.2016 22:05 Betreff: Re: [Assp-test] Urgent: AFC plugin, ALLOW MS Office Macro from some users I looked at the code for the updated plugin, if I'm understanding it correctly, you use exe-bin and then specify exceptions using :type (colon and type) You'd never use on of the exceptions by themselves. If that's correct, when you're ready for another update, I'd change the description. If \'exe-bin\' is defined, the Plugin will detect executable files based on their binary content. All executables, libraries, and scripts for DOS and Windows (except .com files), MS office macros(VBA), MAC-OS and linux ELF (for all processor architectures) will be detected.<br /><br /> If you want to skip the detection for a specific executable type, specify exe-bin (which detects all executables) and then add exceptions to exclude specific types:Example: \'exe-bin|::MSOM|:WSH\' - notice the leading collon for the exceptions! This example will block all detected executable files except for MS Office Macro files (:MSOM) and Windows Shell Scripts (:WSH)<br /><br /> On Fri, Sep 2, 2016 at 1:34 PM, K Post <nntp.p...@gmail.com> wrote: > This is simply TERRIFIC. Thank you. I hope to test this weekend. > > Can you clarify syntax a little for me? > > If I want to block .abc and .xyz extensions plus all exe-bin detected > EXCEPT for MSOM for a person - both IN AND OUT, and allow everything else > in or out, what would their userattach line look like? > > A couple months ago, you added clarification that BLOCK directives in user > attach trump ALLOW, so I don't know how to block any exe-bin except for the > one type. > > ouru...@ourcharity.org => block => abc|xyz|exe-bin => allow => *|:MSOM > doesn't seem right. > > Do I need to not use exe-bin and instead specify all other exe types? > ouru...@ourcharity.org => block => abc|xyz|:WIN|:MOS|:PEF|:ELF|:WSH|:MMC| > :ARC|:CSC > > > > On Fri, Sep 2, 2016 at 10:56 AM, Thomas Eckardt < > thomas.ecka...@thockar.com> wrote: > >> 1) - I've just released some new code (ASSP_AFC.pm 4.38) at CVS, which >> allows skipping the executable detection for some types. It is not fully >> tested! >> >> ...... >> If you've installed the ASSP_AFC Plugin (at least version 2.10) and >> 'exe-bin' is defined (on any level), the Plugin will detect executable >> files based on there binary content. Detected will be all executables, >> libraries and scripts for DOS and Windows (except .com files), MS office >> macros(VBA), MAC-OS and linux ELF (for all processor architectures). >> If you want to skip the detection for a specific executable type, define >> any combination of the tags below like: 'exe-bin|:WSH|:MSOM|:WIN' - notice >> the leading collon for the exceptions! >> >> :WIN - windows executables >> :MOS - Mach-O executables >> :PEF - Classic MacOS executables >> :ELF - ELF (linux) executables >> :WSH - windows shell scripts >> :MMC - windows MMC Console Files >> :ARC - static library (linux,unix) >> :CSC - common scripts (basic,java,perl,php,powershell....) >> :MSOM - microsoft office macros >> >> >> 2) The reason is shown in the attachted .txt file. The text can be defined >> in the ASSP_AFC plugin. Two new literals are available >> REASON - for the attachment >> VIRUS - for the virus check >> >> ...... >> The text which replaces the bad attachment. The litteral FILENAME will be >> replaced with the name of the bad attachment! The litteral REASON will be >> replaced with the reason, because the attachment was rejected! >> >> ...... >> The text which replaces the bad mailparts that contains a virus. The >> litteral FILENAME will be replaced with the name of a bad attachment! The >> litteral VIRUS will be replaced with the name of the virus! >> >> >> Thomas >> >> >> >> >> >> Von: K Post <nntp.p...@gmail.com> >> An: ASSP development mailing list <assp-test@lists.sourceforge.net> >> Datum: 01.09.2016 17:18 >> Betreff: Re: [Assp-test] Urgent: AFC plugin, ALLOW MS Office >> Macro from some users >> >> >> >> > >> > Hmmm ... what, if the senders PC is infected by a zero day macro virus? >> >> >> You're preaching to the choir on this. I'm in complete agreement, we >> shouldn't allow MS Office Macro files, but there's no choice . The powers >> that be are insisting on it, and for a critical reason. There's a VERY >> large company that sends word macro files. They'll only send them via >> email, they won't change what they do, and this user relies on these files >> for the charity. Stinks. Management is insistent that we permit them to >> this user. Of course, the user is about as low tech as they get. i have >> a >> feeling he'll click / open anything. This whole situation drives me >> crazy, >> but it's the situation nonetheless. >> >> I saw in the AFC plugin where it's identifying the MS Office Macro TYPE of >> executable. We set the type variable and it shows in the log. >> >> 1) Might we be able to work that somehow into the filter? That would let >> AFC do its thing and detect executable content even if the extension is >> renamed but give us a way via UserAttach to allow macros through but not >> any other *detected* executable. >> >> 2) Related, could we add this type variable to the block text to show why >> the file wasn't allowed? I have regular users being confused by .doc >> files >> being rejected when they're rejected because of macros. >> >> >> Thanks again >> >> >> On Thu, Sep 1, 2016 at 2:51 AM, Thomas Eckardt >> <thomas.ecka...@thockar.com> >> wrote: >> >> > >I certainly don't want to allow all exe files, just >> > >word/excel macros. >> > ... >> > >Is there a way with the AFC plugin enabled to enable MS Office files >> WITH >> > >MACROS in them to come through from a specific domain? >> > >> > There is no other way. MS office macros are executables - you need to >> > allow executables (exe-bin) for this user. >> > But you can block attachments by file extension (exe|com|scr|js .......) >> > >> > >Nothing I can do. >> > Hmmm ... what, if the senders PC is infected by a zero day macro virus? >> > Something like a new Melissa - >> > https://en.wikipedia.org/wiki/Melissa_(computer_virus) >> > - or a new Locky >> > >> > >> > Thomas >> > >> > >> > >> > >> > Von: K Post <nntp.p...@gmail.com> >> > An: ASSP development mailing list <assp-test@lists.sourceforge.net> >> > Datum: 31.08.2016 22:09 >> > Betreff: [Assp-test] Urgent: AFC plugin, ALLOW MS Office Macro >> from >> > some users >> > >> > >> > >> > One of our key user regularly get MS Office files *with macros* in them >> > from a specific domain The outside sender insists on the macro. I can't >> > stand this, but there is absolutely NO way to avoid this. Another >> case >> > of business requirements requiring bad tech decisions. Nothing I can >> do. >> > >> > Is there a way with the AFC plugin enabled to enable MS Office files >> WITH >> > MACROS in them to come through from a specific domain? Even better >> would >> > be to allow just that ONE user on our end to get ms office files with >> > macros sent from this single domain. >> > >> > I've looked at UserAttach, but I don't know the syntax to specify a >> office >> > file with macro. I certainly don't want to allow all exe files, just >> > word/excel macros. Awfully big problem for us. >> > >> > Thank you >> > ------------------------------------------------------------ >> > ------------------ >> > _______________________________________________ >> > Assp-test mailing list >> > Assp-test@lists.sourceforge.net >> > https://lists.sourceforge.net/lists/listinfo/assp-test >> > >> > >> > >> > >> > DISCLAIMER: >> > ******************************************************* >> > This email and any files transmitted with it may be confidential, >> legally >> > privileged and protected in law and are intended solely for the use of >> the >> > >> > individual to whom it is addressed. >> > This email was multiple times scanned for viruses. There should be no >> > known virus in this email! >> > ******************************************************* >> > >> > >> > ------------------------------------------------------------ >> > ------------------ >> > >> > _______________________________________________ >> > Assp-test mailing list >> > Assp-test@lists.sourceforge.net >> > https://lists.sourceforge.net/lists/listinfo/assp-test >> > >> > >> ------------------------------------------------------------ >> ------------------ >> _______________________________________________ >> Assp-test mailing list >> Assp-test@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/assp-test >> >> >> >> >> DISCLAIMER: >> ******************************************************* >> This email and any files transmitted with it may be confidential, legally >> privileged and protected in law and are intended solely for the use of the >> >> individual to whom it is addressed. >> This email was multiple times scanned for viruses. There should be no >> known virus in this email! >> ******************************************************* >> >> >> ------------------------------------------------------------ >> ------------------ >> >> _______________________________________________ >> Assp-test mailing list >> Assp-test@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/assp-test >> >> > ------------------------------------------------------------------------------ _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *******************************************************
------------------------------------------------------------------------------
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
