1) - I've just released some new code (ASSP_AFC.pm 4.38) at CVS, which allows skipping the executable detection for some types. It is not fully tested!
...... If you've installed the ASSP_AFC Plugin (at least version 2.10) and 'exe-bin' is defined (on any level), the Plugin will detect executable files based on there binary content. Detected will be all executables, libraries and scripts for DOS and Windows (except .com files), MS office macros(VBA), MAC-OS and linux ELF (for all processor architectures). If you want to skip the detection for a specific executable type, define any combination of the tags below like: 'exe-bin|:WSH|:MSOM|:WIN' - notice the leading collon for the exceptions! :WIN - windows executables :MOS - Mach-O executables :PEF - Classic MacOS executables :ELF - ELF (linux) executables :WSH - windows shell scripts :MMC - windows MMC Console Files :ARC - static library (linux,unix) :CSC - common scripts (basic,java,perl,php,powershell....) :MSOM - microsoft office macros 2) The reason is shown in the attachted .txt file. The text can be defined in the ASSP_AFC plugin. Two new literals are available REASON - for the attachment VIRUS - for the virus check ...... The text which replaces the bad attachment. The litteral FILENAME will be replaced with the name of the bad attachment! The litteral REASON will be replaced with the reason, because the attachment was rejected! ...... The text which replaces the bad mailparts that contains a virus. The litteral FILENAME will be replaced with the name of a bad attachment! The litteral VIRUS will be replaced with the name of the virus! Thomas Von: K Post <nntp.p...@gmail.com> An: ASSP development mailing list <assp-test@lists.sourceforge.net> Datum: 01.09.2016 17:18 Betreff: Re: [Assp-test] Urgent: AFC plugin, ALLOW MS Office Macro from some users > > Hmmm ... what, if the senders PC is infected by a zero day macro virus? You're preaching to the choir on this. I'm in complete agreement, we shouldn't allow MS Office Macro files, but there's no choice . The powers that be are insisting on it, and for a critical reason. There's a VERY large company that sends word macro files. They'll only send them via email, they won't change what they do, and this user relies on these files for the charity. Stinks. Management is insistent that we permit them to this user. Of course, the user is about as low tech as they get. i have a feeling he'll click / open anything. This whole situation drives me crazy, but it's the situation nonetheless. I saw in the AFC plugin where it's identifying the MS Office Macro TYPE of executable. We set the type variable and it shows in the log. 1) Might we be able to work that somehow into the filter? That would let AFC do its thing and detect executable content even if the extension is renamed but give us a way via UserAttach to allow macros through but not any other *detected* executable. 2) Related, could we add this type variable to the block text to show why the file wasn't allowed? I have regular users being confused by .doc files being rejected when they're rejected because of macros. Thanks again On Thu, Sep 1, 2016 at 2:51 AM, Thomas Eckardt <thomas.ecka...@thockar.com> wrote: > >I certainly don't want to allow all exe files, just > >word/excel macros. > ... > >Is there a way with the AFC plugin enabled to enable MS Office files WITH > >MACROS in them to come through from a specific domain? > > There is no other way. MS office macros are executables - you need to > allow executables (exe-bin) for this user. > But you can block attachments by file extension (exe|com|scr|js .......) > > >Nothing I can do. > Hmmm ... what, if the senders PC is infected by a zero day macro virus? > Something like a new Melissa - > https://en.wikipedia.org/wiki/Melissa_(computer_virus) > - or a new Locky > > > Thomas > > > > > Von: K Post <nntp.p...@gmail.com> > An: ASSP development mailing list <assp-test@lists.sourceforge.net> > Datum: 31.08.2016 22:09 > Betreff: [Assp-test] Urgent: AFC plugin, ALLOW MS Office Macro from > some users > > > > One of our key user regularly get MS Office files *with macros* in them > from a specific domain The outside sender insists on the macro. I can't > stand this, but there is absolutely NO way to avoid this. Another case > of business requirements requiring bad tech decisions. Nothing I can do. > > Is there a way with the AFC plugin enabled to enable MS Office files WITH > MACROS in them to come through from a specific domain? Even better would > be to allow just that ONE user on our end to get ms office files with > macros sent from this single domain. > > I've looked at UserAttach, but I don't know the syntax to specify a office > file with macro. I certainly don't want to allow all exe files, just > word/excel macros. Awfully big problem for us. > > Thank you > ------------------------------------------------------------ > ------------------ > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > > ------------------------------------------------------------ > ------------------ > > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > > ------------------------------------------------------------------------------ _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *******************************************************
------------------------------------------------------------------------------
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
