On 2/25/2015 1:17 PM, Justin Edmands wrote:
Hey Mimedefang listers,
I wanted to know if I could use mimedefang to strip out .DOC, .DOCX, .XLS, and
.XLSX files (or any applicable file type) if they contain a macro.
--Justin
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
DFS posted a function to the SA users list that works on 2003 and
earlier documents (attached). For newer formats, this should also be
helpful:
https://social.technet.microsoft.com/Forums/office/en-US/1eb2d35a-b212-480b-9af3-121ab498d095/where-does-the-macro-gets-stored-in-new-microsoft-word-open-office-xml-format-docx?forum=word
--- Begin Message ---
On Wed, 18 Feb 2015 09:56:56 -0700
Jesse Norell <je...@kci.net> wrote:
> Another option might be to add a virus scanner to your pop/imap
> server, so mail is re-scanned before being sent to the client?
I wrote some Perl to try to detect MS Office documents with macros in
them. I'm not sure it's 100% successful, but it does seem to detect
a large percentage of them. Unfortunately, I found out to my dismay
that quite a few legitimate MS Office documents have macros, so you can
only use this to add points, not to reject.
The code fragment is below (it's not a complete solution, but it gives
you the gist). It's not a SpamAssassin plugin (because it's part
of our MIMEDefang framework) but it shouldn't be too hard to adapt.
The essential part is to look for the two strings $marker1 and $marker2
in the document.
Regards,
David.
==============================================================================
# These markers were documented at:
#
http://blog.rootshell.be/2015/01/08/searching-for-microsoft-office-files-containing-macro/
# as of 2015-01-15
# $entity is a MIME::Entity that's the parsed message
my $marker1 = "\xd0\xcf\x11\xe0";
my $marker2 = "\x00\x41\x74\x74\x72\x69\x62\x75\x74\x00";
sub contains_office_macros
{
my ($self, $entity) = @_;
my @parts = $entity->parts();
if (scalar(@parts) > 0) {
foreach my $part (@parts) {
if ($self->contains_office_macros($part)) {
return 1;
}
}
return 0;
}
my $is_msoffice_extension = 0;
foreach my $attr_name (qw( Content-Disposition.filename
Content-Type.name) ) {
my $possible = $entity->head->mime_attr($attr_name);
$possible = decode_mimewords($possible);
if ($possible =~ /\.(doc|docx)$/i) {
$is_msoffice_extension = 1;
last;
}
}
return 0 unless $is_msoffice_extension;
return 0 unless defined($entity->bodyhandle) &&
defined($entity->bodyhandle->path);
my $fp;
if (!open($fp, '<:raw', $entity->bodyhandle->path)) {
return 0;
}
my $contents;
{
local $/;
$contents = <$fp>;
close($fp);
}
if (index($contents, $marker1) > -1 &&
index($contents, $marker2) > -1) {
return 1;
}
return 0;
}
--- End Message ---
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
