>even if not encrypted seem to slip through.
NO!
I don't want to explain this again and again and again.
ASSP_AFC uses a MIME-type based content detection.
Thomas
Von: K Post <nntp.p...@gmail.com>
An: ASSP development mailing list <assp-test@lists.sourceforge.net>
Datum: 02.11.2016 17:28
Betreff: Re: [Assp-test] Blocking encrypted and/or VBA embedded MS
Office Docs
ASSP_OCR only processes text attachments and PDF - no word documents.
Thomas
Is there a way to scan the content of (unencrypted) office documents for
bad content? Seems like the spammers are heading this route.
Macros are not enrypted (at least the statements checked by AFC) and will
be detected.
If not - provide me a download of such a document.
Attached, please find a Word 2016 document (xml format) that has a macro
and is encrypted. Word has me save it as a docm file. If I attach as
docm is it blocked as expected. But if I rename as .doc the message comes
through assp, macro and all.
Password to decrypt this document is "macro"
The ploy here which I see often now is a message saying that the
attachment contains important info about a bill, an account, whatever.
Then it says that the message is encrypted for security and to use
password ______ to open it. If the user falls for it, there's potential
that they'll run the vba / macro too....
In testing, I also found that renamed docm with macro files, even if not
encrypted seem to slip through. Is the AFC plugin possibly not detecting
docm files based on content and only looking at them by extension?
Thanks
Ken
On Tue, Nov 1, 2016 at 9:37 PM, K Post <nntp.p...@gmail.com> wrote:
Missed that we already had AFC to block vba macros. That is in fact
working great.
However, the new tactic is to send encrypted word documents and put the
password in the email. Those aren't caught, which makes sense - AFC can't
read the file to tell that there's a macro! Can AFC be modified to block
for encrypted office documents?
On Thu, Oct 27, 2016 at 10:19 PM, K Post <nntp.p...@gmail.com> wrote:
With more and more and more attached files slipping through ClamAV's
hands, and the majority of these being either encrypted MS Office
documents or zero day-ish Word documents with VBA embedded, I'm wondering
if ASSP_AFC could be modified to optionally reject/strip/score messages
that are either:
1) Encrypted MS Office documents and/or
2) MS Office documents that contain VBA code.
Related, detect PDF files with Javascript or Flash embedded??
(and Thomas, if you're replying to this, could you also cc me directly so
that I get the reply - gmail is rejecting your DKIM messages that pass
through SourceForge without SRS)
THANKS
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
