ASSP_AFC 4.48 was too weak
ASSP_AFC 4.49 is possibly too strict, but very safe - it allows to use the 
':PDF' switch

I'm just looking for a way to prevent false positives.

Thomas





Von:    K Post <nntp.p...@gmail.com>
An:     ASSP development mailing list <assp-test@lists.sourceforge.net>
Datum:  19.05.2017 16:28
Betreff:        Re: [Assp-test] updated ASSP_AFC Plugin



Here's a sample PDF with javascript that runs at startup (populates a 
field with the current date).

On Fri, May 19, 2017 at 10:16 AM, K Post <nntp.p...@gmail.com> wrote:
I tested with this new plugin installed and exe-bin blocking.  This plugin 
now blocks all pdf's that have javascript embedded right?  That's not what 
I experienced.

I created a simple pdf with a button.  That button's action was to run 
javascript to print the document.  I emailed it to myself from gmail.  It 
was received, not blocked.

Am I missing something?  

On Fri, May 19, 2017 at 9:48 AM, K Post <nntp.p...@gmail.com> wrote:
Thanks for this!!!

On Thu, May 18, 2017 at 10:22 AM, Thomas Eckardt <
thomas.ecka...@thockar.com> wrote:
Hi all, 

I've just published ASSP_AFC.pm version 4.48 at SF-CVS. 

This version contains an extension to detect embedded executable code in 
real PDF files, if 'exe-bin' files are not allowed in the assp 
configuration. 

Currently detected are: 

- java script - most times this is requred by the virus to open and run 
any other embedded code 
- ms office macros 
- exe and com files 
- wsh files 

This extension is hard coded. There is no way to make an exception to 
(e.g)  :PDF  -  like for :ELF, :CSC  :MSOM ......  - because such files 
are every time malicious! 

Currently it seems, that another ransomware attack is starting in 
preparation for the weekend! Distributed are such real PDF files per 
email! 
I don't think that there will be a stupid 'killswitch' in the new viruses 
to save the world. 

I just saw that ClamAV (sanesecurity signatures) detected most of them - 
they all are classified as UNOFFICIAL !!!!. 

Thomas



DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally 
privileged and protected in law and are intended solely for the use of the 

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no 
known virus in this email!
*******************************************************

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Reply via email to