I looked at the code for the updated plugin, if I'm understanding it correctly, you use exe-bin and then specify exceptions using :type (colon and type) You'd never use on of the exceptions by themselves. If that's correct, when you're ready for another update, I'd change the description.
If \'exe-bin\' is defined, the Plugin will detect executable files based on their binary content. All executables, libraries, and scripts for DOS and Windows (except .com files), MS office macros(VBA), MAC-OS and linux ELF (for all processor architectures) will be detected.<br /><br /> If you want to skip the detection for a specific executable type, specify exe-bin (which detects all executables) and then add exceptions to exclude specific types:Example: \'exe-bin|::MSOM|:WSH\' - notice the leading collon for the exceptions! This example will block all detected executable files except for MS Office Macro files (:MSOM) and Windows Shell Scripts (:WSH)<br /><br /> On Fri, Sep 2, 2016 at 1:34 PM, K Post <nntp.p...@gmail.com> wrote: > This is simply TERRIFIC. Thank you. I hope to test this weekend. > > Can you clarify syntax a little for me? > > If I want to block .abc and .xyz extensions plus all exe-bin detected > EXCEPT for MSOM for a person - both IN AND OUT, and allow everything else > in or out, what would their userattach line look like? > > A couple months ago, you added clarification that BLOCK directives in user > attach trump ALLOW, so I don't know how to block any exe-bin except for the > one type. > > ouru...@ourcharity.org => block => abc|xyz|exe-bin => allow => *|:MSOM > doesn't seem right. > > Do I need to not use exe-bin and instead specify all other exe types? > ouru...@ourcharity.org => block => abc|xyz|:WIN|:MOS|:PEF|:ELF|:WSH|:MMC| > :ARC|:CSC > > > > On Fri, Sep 2, 2016 at 10:56 AM, Thomas Eckardt < > thomas.ecka...@thockar.com> wrote: > >> 1) - I've just released some new code (ASSP_AFC.pm 4.38) at CVS, which >> allows skipping the executable detection for some types. It is not fully >> tested! >> >> ...... >> If you've installed the ASSP_AFC Plugin (at least version 2.10) and >> 'exe-bin' is defined (on any level), the Plugin will detect executable >> files based on there binary content. Detected will be all executables, >> libraries and scripts for DOS and Windows (except .com files), MS office >> macros(VBA), MAC-OS and linux ELF (for all processor architectures). >> If you want to skip the detection for a specific executable type, define >> any combination of the tags below like: 'exe-bin|:WSH|:MSOM|:WIN' - notice >> the leading collon for the exceptions! >> >> :WIN - windows executables >> :MOS - Mach-O executables >> :PEF - Classic MacOS executables >> :ELF - ELF (linux) executables >> :WSH - windows shell scripts >> :MMC - windows MMC Console Files >> :ARC - static library (linux,unix) >> :CSC - common scripts (basic,java,perl,php,powershell....) >> :MSOM - microsoft office macros >> >> >> 2) The reason is shown in the attachted .txt file. The text can be defined >> in the ASSP_AFC plugin. Two new literals are available >> REASON - for the attachment >> VIRUS - for the virus check >> >> ...... >> The text which replaces the bad attachment. The litteral FILENAME will be >> replaced with the name of the bad attachment! The litteral REASON will be >> replaced with the reason, because the attachment was rejected! >> >> ...... >> The text which replaces the bad mailparts that contains a virus. The >> litteral FILENAME will be replaced with the name of a bad attachment! The >> litteral VIRUS will be replaced with the name of the virus! >> >> >> Thomas >> >> >> >> >> >> Von: K Post <nntp.p...@gmail.com> >> An: ASSP development mailing list <assp-test@lists.sourceforge.net> >> Datum: 01.09.2016 17:18 >> Betreff: Re: [Assp-test] Urgent: AFC plugin, ALLOW MS Office >> Macro from some users >> >> >> >> > >> > Hmmm ... what, if the senders PC is infected by a zero day macro virus? >> >> >> You're preaching to the choir on this. I'm in complete agreement, we >> shouldn't allow MS Office Macro files, but there's no choice . The powers >> that be are insisting on it, and for a critical reason. There's a VERY >> large company that sends word macro files. They'll only send them via >> email, they won't change what they do, and this user relies on these files >> for the charity. Stinks. Management is insistent that we permit them to >> this user. Of course, the user is about as low tech as they get. i have >> a >> feeling he'll click / open anything. This whole situation drives me >> crazy, >> but it's the situation nonetheless. >> >> I saw in the AFC plugin where it's identifying the MS Office Macro TYPE of >> executable. We set the type variable and it shows in the log. >> >> 1) Might we be able to work that somehow into the filter? That would let >> AFC do its thing and detect executable content even if the extension is >> renamed but give us a way via UserAttach to allow macros through but not >> any other *detected* executable. >> >> 2) Related, could we add this type variable to the block text to show why >> the file wasn't allowed? I have regular users being confused by .doc >> files >> being rejected when they're rejected because of macros. >> >> >> Thanks again >> >> >> On Thu, Sep 1, 2016 at 2:51 AM, Thomas Eckardt >> <thomas.ecka...@thockar.com> >> wrote: >> >> > >I certainly don't want to allow all exe files, just >> > >word/excel macros. >> > ... >> > >Is there a way with the AFC plugin enabled to enable MS Office files >> WITH >> > >MACROS in them to come through from a specific domain? >> > >> > There is no other way. MS office macros are executables - you need to >> > allow executables (exe-bin) for this user. >> > But you can block attachments by file extension (exe|com|scr|js .......) >> > >> > >Nothing I can do. >> > Hmmm ... what, if the senders PC is infected by a zero day macro virus? >> > Something like a new Melissa - >> > https://en.wikipedia.org/wiki/Melissa_(computer_virus) >> > - or a new Locky >> > >> > >> > Thomas >> > >> > >> > >> > >> > Von: K Post <nntp.p...@gmail.com> >> > An: ASSP development mailing list <assp-test@lists.sourceforge.net> >> > Datum: 31.08.2016 22:09 >> > Betreff: [Assp-test] Urgent: AFC plugin, ALLOW MS Office Macro >> from >> > some users >> > >> > >> > >> > One of our key user regularly get MS Office files *with macros* in them >> > from a specific domain The outside sender insists on the macro. I can't >> > stand this, but there is absolutely NO way to avoid this. Another >> case >> > of business requirements requiring bad tech decisions. Nothing I can >> do. >> > >> > Is there a way with the AFC plugin enabled to enable MS Office files >> WITH >> > MACROS in them to come through from a specific domain? Even better >> would >> > be to allow just that ONE user on our end to get ms office files with >> > macros sent from this single domain. >> > >> > I've looked at UserAttach, but I don't know the syntax to specify a >> office >> > file with macro. I certainly don't want to allow all exe files, just >> > word/excel macros. Awfully big problem for us. >> > >> > Thank you >> > ------------------------------------------------------------ >> > ------------------ >> > _______________________________________________ >> > Assp-test mailing list >> > Assp-test@lists.sourceforge.net >> > https://lists.sourceforge.net/lists/listinfo/assp-test >> > >> > >> > >> > >> > DISCLAIMER: >> > ******************************************************* >> > This email and any files transmitted with it may be confidential, >> legally >> > privileged and protected in law and are intended solely for the use of >> the >> > >> > individual to whom it is addressed. >> > This email was multiple times scanned for viruses. There should be no >> > known virus in this email! >> > ******************************************************* >> > >> > >> > ------------------------------------------------------------ >> > ------------------ >> > >> > _______________________________________________ >> > Assp-test mailing list >> > Assp-test@lists.sourceforge.net >> > https://lists.sourceforge.net/lists/listinfo/assp-test >> > >> > >> ------------------------------------------------------------ >> ------------------ >> _______________________________________________ >> Assp-test mailing list >> Assp-test@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/assp-test >> >> >> >> >> DISCLAIMER: >> ******************************************************* >> This email and any files transmitted with it may be confidential, legally >> privileged and protected in law and are intended solely for the use of the >> >> individual to whom it is addressed. >> This email was multiple times scanned for viruses. There should be no >> known virus in this email! >> ******************************************************* >> >> >> ------------------------------------------------------------ >> ------------------ >> >> _______________________________________________ >> Assp-test mailing list >> Assp-test@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/assp-test >> >> >
------------------------------------------------------------------------------
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
