This is simply TERRIFIC. Thank you. I hope to test this weekend. Can you clarify syntax a little for me?
If I want to block .abc and .xyz extensions plus all exe-bin detected EXCEPT for MSOM for a person - both IN AND OUT, and allow everything else in or out, what would their userattach line look like? A couple months ago, you added clarification that BLOCK directives in user attach trump ALLOW, so I don't know how to block any exe-bin except for the one type. ouru...@ourcharity.org => block => abc|xyz|exe-bin => allow => *|:MSOM doesn't seem right. Do I need to not use exe-bin and instead specify all other exe types? ouru...@ourcharity.org => block => abc|xyz|:WIN|:MOS|:PEF|:ELF|:WSH|:MMC| :ARC|:CSC On Fri, Sep 2, 2016 at 10:56 AM, Thomas Eckardt <thomas.ecka...@thockar.com> wrote: > 1) - I've just released some new code (ASSP_AFC.pm 4.38) at CVS, which > allows skipping the executable detection for some types. It is not fully > tested! > > ...... > If you've installed the ASSP_AFC Plugin (at least version 2.10) and > 'exe-bin' is defined (on any level), the Plugin will detect executable > files based on there binary content. Detected will be all executables, > libraries and scripts for DOS and Windows (except .com files), MS office > macros(VBA), MAC-OS and linux ELF (for all processor architectures). > If you want to skip the detection for a specific executable type, define > any combination of the tags below like: 'exe-bin|:WSH|:MSOM|:WIN' - notice > the leading collon for the exceptions! > > :WIN - windows executables > :MOS - Mach-O executables > :PEF - Classic MacOS executables > :ELF - ELF (linux) executables > :WSH - windows shell scripts > :MMC - windows MMC Console Files > :ARC - static library (linux,unix) > :CSC - common scripts (basic,java,perl,php,powershell....) > :MSOM - microsoft office macros > > > 2) The reason is shown in the attachted .txt file. The text can be defined > in the ASSP_AFC plugin. Two new literals are available > REASON - for the attachment > VIRUS - for the virus check > > ...... > The text which replaces the bad attachment. The litteral FILENAME will be > replaced with the name of the bad attachment! The litteral REASON will be > replaced with the reason, because the attachment was rejected! > > ...... > The text which replaces the bad mailparts that contains a virus. The > litteral FILENAME will be replaced with the name of a bad attachment! The > litteral VIRUS will be replaced with the name of the virus! > > > Thomas > > > > > > Von: K Post <nntp.p...@gmail.com> > An: ASSP development mailing list <assp-test@lists.sourceforge.net> > Datum: 01.09.2016 17:18 > Betreff: Re: [Assp-test] Urgent: AFC plugin, ALLOW MS Office > Macro from some users > > > > > > > Hmmm ... what, if the senders PC is infected by a zero day macro virus? > > > You're preaching to the choir on this. I'm in complete agreement, we > shouldn't allow MS Office Macro files, but there's no choice . The powers > that be are insisting on it, and for a critical reason. There's a VERY > large company that sends word macro files. They'll only send them via > email, they won't change what they do, and this user relies on these files > for the charity. Stinks. Management is insistent that we permit them to > this user. Of course, the user is about as low tech as they get. i have > a > feeling he'll click / open anything. This whole situation drives me > crazy, > but it's the situation nonetheless. > > I saw in the AFC plugin where it's identifying the MS Office Macro TYPE of > executable. We set the type variable and it shows in the log. > > 1) Might we be able to work that somehow into the filter? That would let > AFC do its thing and detect executable content even if the extension is > renamed but give us a way via UserAttach to allow macros through but not > any other *detected* executable. > > 2) Related, could we add this type variable to the block text to show why > the file wasn't allowed? I have regular users being confused by .doc > files > being rejected when they're rejected because of macros. > > > Thanks again > > > On Thu, Sep 1, 2016 at 2:51 AM, Thomas Eckardt > <thomas.ecka...@thockar.com> > wrote: > > > >I certainly don't want to allow all exe files, just > > >word/excel macros. > > ... > > >Is there a way with the AFC plugin enabled to enable MS Office files > WITH > > >MACROS in them to come through from a specific domain? > > > > There is no other way. MS office macros are executables - you need to > > allow executables (exe-bin) for this user. > > But you can block attachments by file extension (exe|com|scr|js .......) > > > > >Nothing I can do. > > Hmmm ... what, if the senders PC is infected by a zero day macro virus? > > Something like a new Melissa - > > https://en.wikipedia.org/wiki/Melissa_(computer_virus) > > - or a new Locky > > > > > > Thomas > > > > > > > > > > Von: K Post <nntp.p...@gmail.com> > > An: ASSP development mailing list <assp-test@lists.sourceforge.net> > > Datum: 31.08.2016 22:09 > > Betreff: [Assp-test] Urgent: AFC plugin, ALLOW MS Office Macro > from > > some users > > > > > > > > One of our key user regularly get MS Office files *with macros* in them > > from a specific domain The outside sender insists on the macro. I can't > > stand this, but there is absolutely NO way to avoid this. Another > case > > of business requirements requiring bad tech decisions. Nothing I can > do. > > > > Is there a way with the AFC plugin enabled to enable MS Office files > WITH > > MACROS in them to come through from a specific domain? Even better > would > > be to allow just that ONE user on our end to get ms office files with > > macros sent from this single domain. > > > > I've looked at UserAttach, but I don't know the syntax to specify a > office > > file with macro. I certainly don't want to allow all exe files, just > > word/excel macros. Awfully big problem for us. > > > > Thank you > > ------------------------------------------------------------ > > ------------------ > > _______________________________________________ > > Assp-test mailing list > > Assp-test@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > > > > > > DISCLAIMER: > > ******************************************************* > > This email and any files transmitted with it may be confidential, > legally > > privileged and protected in law and are intended solely for the use of > the > > > > individual to whom it is addressed. > > This email was multiple times scanned for viruses. There should be no > > known virus in this email! > > ******************************************************* > > > > > > ------------------------------------------------------------ > > ------------------ > > > > _______________________________________________ > > Assp-test mailing list > > Assp-test@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > ------------------------------------------------------------ > ------------------ > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > > ------------------------------------------------------------ > ------------------ > > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > >
------------------------------------------------------------------------------
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
