I think you've found the problem with my setup then!! Thank you for
sticking with me.
----All XML versions are compressed files - so the ZIP: entry has to be
used.
I knew that the newer office documents are XML and compressed, but I didn't
know that ASSP wasn't detecting them without specifically being told to in
UserAttach. The gui talks about blocking ms office vba with exe-bin, and I
assumed that applied to all office documents, not just those from 2007 or
older. Am I understanding you correctly?
(I also assume that my docm file wasn't just rejected from your email
server because you have docm in Level 1 or something? -- that's how I was
previously blocking these files, not with the mime detection, just straight
file extension matching).
I'm also worried that despite having exe\-bin and DLL in level one, that if
I send myself a standard windows dll file, it comes through. I wonder if
this could be something with the Windows perl libraries not working, me not
understanding, or another misconfiguration.
Would you mind terribly posting what your zip: line that's applied to
general users looks like from UserAttach or some more examples? I'm
thinking something like:
zip:*@* => block => [[ exactly what I currently have in Level 1 ]]
Does that make sense or am I off base?
Another question
We have one user who has to be able to send encrypted zip files out, we
currently have this line in UserAttach:
zip:l...@ourcharity.org => good-out => *|crypt\-zip
If I add the zip: line that block in and out my level 1/2 setting for *@*,
how does that combine with the line for Lisa directly above. I read that
it uses OR logic, but how does
For everyone, block zips that contain any level 1 blocked file including
exe content, block encrypted zips for all, OR allow any outbound zip
including encrypted ones for Lisa only
actually work? ASSP is being told to block zips with exe content OR allow
exe zips for Lisa. Block always wins right? If that's the case, how could
we block all this bad stuff, block encrypted zips, but allow them for Lisa
only??
Thanks again.
On Thu, Nov 3, 2016 at 5:29 PM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:
> Here is no attachment!
> macros in.docm are detected
> tested are all office versions up to 2013 with ALL possible document
> formats.
>
> All XML versions are compressed files - so the ZIP: entry has to be used.
>
> Thomas
>
>
>
>
>
> Von: K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum: 03.11.2016 20:36
> Betreff: Re: [Assp-test] Blocking encrypted and/or VBA embedded MS
> Office Docs
> ------------------------------
>
>
>
> I'm sorry that you're getting frustrated again with me, but maybe I'm not
> being clear? I know that AFC doesn't use the file extension to detect the
> mime type. My point is that it's not the newer (2007 I think) word with
> macro format - docm.
>
> My tests are showing that with exe-bin in Level 1 (which should detect and
> reject VBA macros in office files) that docm (m on the end, meaning its a
> newer format Word with macro file) slip through ASSP. I had previously
> had docm under Level 1 too and found that renamed docm files came through.
> After removing docm as a test, I found that you don't even need to rename
> them.
>
> It's as if AFC isn't detecting macros in the newer Word formats. If I
> have macros in .doc files (Word 2003 and earlier) they ARE detected,
> encrypted or not!
>
> I know how much you despise Office products, so I attached a sample docm
> file for your reference.
>
> And last, and only semi-related, can we get an option in AFC to also
> reject encrypted office documents (even without macros)? I know macros
> will be caught even in encrypted word 2003 and older documents, but it
> seems like spammers are trying to slip through spam content and phishing
> attempts using encrypted Office docs now too... I wish we could just
> block Office documents altogether, but that would all but put this charity
> out of business.
>
>
> On Wed, Nov 2, 2016 at 4:48 PM, Thomas Eckardt <
> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
> >even if not encrypted seem to slip through.
>
> NO!
>
> I don't want to explain this again and again and again.
>
> ASSP_AFC uses a MIME-type based content detection.
>
> Thomas
>
>
>
>
>
> Von: K Post <*nntp.p...@gmail.com* <nntp.p...@gmail.com>>
> An: ASSP development mailing list <
> *assp-test@lists.sourceforge.net* <assp-test@lists.sourceforge.net>>
> Datum: 02.11.2016 17:28
> Betreff: Re: [Assp-test] Blocking encrypted and/or VBA embedded MS
> Office Docs
> ------------------------------
>
>
>
>
> ASSP_OCR only processes text attachments and PDF - no word documents.
>
> Thomas
>
> Is there a way to scan the content of (unencrypted) office documents for
> bad content? Seems like the spammers are heading this route.
>
> Macros are not enrypted (at least the statements checked by AFC) and will
> be detected.
> If not - provide me a download of such a document.
>
> Attached, please find a Word 2016 document (xml format) that has a macro
> and is encrypted. Word has me save it as a docm file. If I attach as docm
> is it blocked as expected. But if I rename as .doc the message comes
> through assp, macro and all.
>
> Password to decrypt this document is "macro"
>
> The ploy here which I see often now is a message saying that the
> attachment contains important info about a bill, an account, whatever. Then
> it says that the message is encrypted for security and to use password
> ______ to open it. If the user falls for it, there's potential that
> they'll run the vba / macro too....
>
>
> In testing, I also found that renamed docm with macro files, even if not
> encrypted seem to slip through. Is the AFC plugin possibly not detecting
> docm files based on content and only looking at them by extension?
>
> Thanks
> Ken
>
>
>
>
> On Tue, Nov 1, 2016 at 9:37 PM, K Post <*nntp.p...@gmail.com*
> <nntp.p...@gmail.com>> wrote:
> Missed that we already had AFC to block vba macros. That is in fact
> working great.
>
> However, the new tactic is to send *encrypted* word documents and put the
> password in the email. Those aren't caught, which makes sense - AFC can't
> read the file to tell that there's a macro! Can AFC be modified to block
> for encrypted office documents?
>
>
> On Thu, Oct 27, 2016 at 10:19 PM, K Post <*nntp.p...@gmail.com*
> <nntp.p...@gmail.com>> wrote:
> With more and more and more attached files slipping through ClamAV's
> hands, and the majority of these being either encrypted MS Office documents
> or zero day-ish Word documents with VBA embedded, I'm wondering if ASSP_AFC
> could be modified to optionally reject/strip/score messages that are
> either:
> 1) Encrypted MS Office documents and/or
> 2) MS Office documents that contain VBA code.
>
> Related, detect PDF files with Javascript or Flash embedded??
>
> (and Thomas, if you're replying to this, could you also cc me directly so
> that I get the reply - gmail is rejecting your DKIM messages that pass
> through SourceForge without SRS)
>
> THANKS
>
>
> ------------------------------------------------------------
> ------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. *http://sdm.link/xeonphi*
> <http://sdm.link/xeonphi>_______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------
> ------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. *http://sdm.link/xeonphi*
> <http://sdm.link/xeonphi>
> _______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
> ------------------------------------------------------------
> ------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi_______
> ________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------
> ------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today. http://sdm.link/xeonphi
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
