Thank you Thomas. Question, you wrote:
the following additionally exception switches are implemented:
:PDF - adobe PDF file with embedded executable code or microsoft office
macros files, JavaScript and bad URIs (NOT recommended to be used, false
positives are expected)
:CERTPDF - certificate signed adobe PDF file
:JSPDF - adobe PDF file with JavaScript inside - notice: well known
malicious JavaScript combinations will be blocked, even this option is
defined
:URIPDF - adobe PDF file with URIs to download exeutables from the web or
to open local files
I'm slightly confused by your red text though.. I take anything you
suggest very seriously, especially so if it's in red. There seems to be a
bit of a double negative in your above comments.
If we just use exe-bin as a level 1 block, that would include anything in
the PDF, CertPDF, JSPDF, and URIPDF category right? If we do exe-bin|:PDF
that will block exe's but NOT those that are PDF files with embedded
executable code or microsoft office macros files, JavaScript and bad URIs
right? That seems to remove all of this new PDF blocking functionality or
am I off base? Then you said in red that this is not recommended. I can't
tell if you mean you recommend that we not use the :PDF exception (so don't
so exe-bin|:PDF) or if you recommend that we do (exe-bin|:PDF) to best
avoid false positives.
Also, there can be MS office macros in a PDF?? And what kind of executable
content is there in a PDF besides javascript? Based on your description,
clearly that's the case - and I'd think I would want to block them, but I
can't figure out how to do that if you (might be) recommending that we do
exe-bin|:PDF.
I'm clearly confused....
Thanks so much - this should make a big difference!
Ken
On Sat, May 20, 2017 at 4:34 AM, Thomas Eckardt <thomas.ecka...@thockar.com>
wrote:
> published ASSP_AFC 4.50
>
> example results from the analyzer:
>
> *•* *URIBL check* <http://winsrv01:55555/#ValidateURIBL>: 'OK'
> * • † • SuspiciousVirus:
> Sanesecurity.Malware.26947.PdfHeur.DocmJS.UNOFFICIAL 'UNOFFICIAL'*
> * • attachment Invoice 07853327 05/17/2017.PDF is an executable *
> * •* *Not a Valid Format of HELO*
> <http://winsrv01:55555/#DoValidFormatHelo>: '[*42.113.108.55*]'
>
> the following additionally exception switches are implemented:
>
> :PDF - adobe PDF file with embedded executable code or microsoft office
> macros files, JavaScript and bad URIs (NOT recommended to be used, false
> positives are expected)
> :CERTPDF - certificate signed adobe PDF file
> :JSPDF - adobe PDF file with JavaScript inside - notice: well known
> malicious JavaScript combinations will be blocked, even this option is
> defined
> :URIPDF - adobe PDF file with URIs to download exeutables from the web or
> to open local files
>
> Thomas
>
>
> Von: Thomas Eckardt <thomas.ecka...@thockar.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum: 20.05.2017 07:17
> Betreff: Re: [Assp-test] updated ASSP_AFC Plugin
> ------------------------------
>
>
>
> ASSP_AFC 4.48 was too weak
> ASSP_AFC 4.49 is possibly too strict, but very safe - it allows to use the
> ':PDF' switch
>
> I'm just looking for a way to prevent false positives.
>
> Thomas
>
>
>
>
>
> Von: K Post <nntp.p...@gmail.com>
> An: ASSP development mailing list <assp-test@lists.sourceforge.net>
> Datum: 19.05.2017 16:28
> Betreff: Re: [Assp-test] updated ASSP_AFC Plugin
> ------------------------------
>
>
>
> Here's a sample PDF with javascript that runs at startup (populates a
> field with the current date).
>
> On Fri, May 19, 2017 at 10:16 AM, K Post <
> *nntp.p...@gmail.com* <nntp.p...@gmail.com>> wrote:
> I tested with this new plugin installed and exe-bin blocking. This plugin
> now blocks all pdf's that have javascript embedded right? That's not what
> I experienced.
>
> I created a simple pdf with a button. That button's action was to run
> javascript to print the document. I emailed it to myself from gmail. It
> was received, not blocked.
>
> Am I missing something?
>
> On Fri, May 19, 2017 at 9:48 AM, K Post <
> *nntp.p...@gmail.com* <nntp.p...@gmail.com>> wrote:
> Thanks for this!!!
>
> On Thu, May 18, 2017 at 10:22 AM, Thomas Eckardt <
> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
> Hi all,
>
> I've just published ASSP_AFC.pm version 4.48 at SF-CVS.
>
>
> This version contains an extension to detect embedded executable code in
> real PDF files, if 'exe-bin' files are not allowed in the assp
> configuration.
>
>
> Currently detected are:
>
> - java script - most times this is requred by the virus to open and run
> any other embedded code
>
> - ms office macros
> - exe and com files
>
> - wsh files
>
> This extension is hard coded. There is no way to make an exception to
> (e.g) :PDF - like for :ELF, :CSC :MSOM ...... - because such files are
> every time malicious!
>
>
> Currently it seems, that another ransomware attack is starting in
> preparation for the weekend! Distributed are such real PDF files per email!
>
> I don't think that there will be a stupid 'killswitch' in the new viruses
> to save the world.
>
>
> I just saw that ClamAV (sanesecurity signatures) detected most of them -
> they all are classified as UNOFFICIAL !!!!.
>
>
> Thomas
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>
> _______________________________________________
> Assp-test mailing list
> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
> <http://sdm.link/slashdot>_______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> *https://lists.sourceforge.net/lists/listinfo/assp-test*
> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot______
> _________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential, legally
> privileged and protected in law and are intended solely for the use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
