On 2/18/2015 2:10 PM, Reindl Harald wrote:
Am 18.02.2015 um 20:00 schrieb David F. Skoll:
On Wed, 18 Feb 2015 10:52:49 -0800 (PST)
John Hardin <jhar...@impsec.org> wrote:
Macros are not inherently evil.
No, they're not, but AutoRun macros are guilty until proven
otherwise, IMO.
(And adding the ability for MS Office macros to execute external
programs
and fetch content over the Internet *is* inherently evil and MS
should be
soundly slapped for that.)
it would be nice when SA adds a *low score* in case of documents
containing macros - that may make the difference in a milter setup in
combination with other rules and bayes to reject or not
_______________________________________
well, and as a sidenote: i had today a jar-malware (java) in a mail
and instead to unpack it for inspection because the same icon as
archives i managed to run that damned thing - luckily realized that 30
seconds later, pulled the network cables and restored the complete
machine from a nightly backup
the source contains at least socket:// and heavy pulsating disk-IO
noticed from the RAID10 as long the process was active - will give it
a try in a isolated VM to look what it does the next spare time
Or if there was an SA-style classifier for malware that scores files in
addition to "this is a keylogger".