>From the windows point of view, '.bin' files are innocent. They are
registered as 'NoOpen' in HKEY_CLASSES_ROOT per default. An AD-GPO may be
used to force this setting or to unregister this extension class. They may
blocked as raw attachment, but not in zip files by extension.
.bin files may be a type of mac executable - but this will be detected by
'exe-bin'.
If you need and want to detect the various .BIN file formats used in
MS-Office or elsewhere
http://www.codeproject.com/Articles/15216/Office-bin-file-format
may be a good starting point.
Write regular expressions to detect the types and define them in
'assp/Plugins/file_type.txt'.
Good luck :):)
'exe-bin' will detect the majority of executable code by content - except
: cmd , bat , com and obfuscated scripting code of any script language.
Those attachments have to be blocked by there file name extension..
Thomas
Von: K Post <nntp.p...@gmail.com>
An: ASSP development mailing list <assp-test@lists.sourceforge.net>
Datum: 08.11.2016 16:27
Betreff: [Assp-test] Better Office File Handling Possible / Some
excel xlsx files rejecting
I stumbled on this is the bounce report:
[spam found] bad attachment 'thefile.xlsx' cause: 'compressed file
'thefile.xlsx' - contains forbidden file
c:/assp/tmp/zip_3_1478548021/.10/xl/printerSettings/printerSettings1.bin'
[FW Data]
Turns out there's a lot of them. Sample of one of the macro free xlsx the
files is attached hopefully for your review. If I send this file to
myself from the outside, it's stripped.
I know that Exel's xlsx are compressed xml files. If I open the sample
xmlx file in 7zip, I can see the zip structure, I don't know what Excel
is doing, but there is a printerSettings1.bin file in there, I assume for
printer settings, but this is causing AFC (I believe) to remove the zip.
In UserAttach I have:
# look in zips for these bad files too
zip:* => block => exe\-bin|url|ade|adp|asx|bas|bat|dot|dotx|xlt|xlts|bin
|chm|cmd|com|cpl|crt|dbx|dll|exe|hlp|hta|htb|inf|ifs|isp|js|jse|lnk|mda|mdb|mde|mdz|mht|msc|msi|msp|mst|nch|pcd|pif|prf|ps1|reg|scf|scr|sct|shb|shs|vb|vbe|vbs|vba|wms|wsc|wsh|rar|dotm|docm|xlsm|pptm
Level 1 is
exe\-bin|url|ade|adp|asx|bas|bat|dot|dotx|xlt|xlts|bin|chm|cmd|com|cpl|crt|dbx|dll|exe|hlp|hta|htb|inf|ifs|isp|js|jse|lnk|mda|mdb|mde|mdz|mht|msc|msi|msp|mst|nch|pcd|pif|prf|ps1|reg|scf|scr|sct|shb|shs|vb|vbe|vbs|vba|wms|wsc|wsh|rar|dotm|docm|xlsm|pptm
and Level 2 is (the same as level 1, but surrounded by () and ending in
.zip to catch these types within a zip
(exe\-bin|url|ade|adp|asx|bas|bat|dot|dotx|xlt|xlts|bin|chm|cmd|com|cpl|crt|dbx|dll|exe|hlp|hta|htb|inf|ifs|isp|js|jse|lnk|mda|mdb|mde|mdz|mht|msc|msi|msp|mst|nch|pcd|pif|prf|ps1|reg|scf|scr|sct|shb|shs|vb|vbe|vbs|vba|wms|wsc|wsh|rar|dotm|docm|xlsm|pptm).zip
Obviously, the quick fix is to remove .bin from the UserAttach file, but
that would allow zip files containing bin through... Questions:
1) Is there a better way other than allowing bin files in zips? It's not
like Office documents are unusual files these days. We have no choice but
to deal with them. Microsoft's decision to make them zip files containing
other content could be a good one for us.
2) Is my Level 2 line necessary with AFC installed or is is redundant?
3) Semi-related: based on the info above, any idea why dll files,
including those within a zip, are allowed through? Shouldn't the exe-bin
line catch them and if not, the dll entries?
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
