Another question: does that dinky PDF with the embedded javascript that I
sent you show up as caught in your analyze report? When I send it, even
with 1.50 installed, it comes through, despite having exe-bin blocking
enabled.
On Sat, May 20, 2017 at 6:59 PM, K Post <nntp.p...@gmail.com> wrote:
> Thank you Thomas. Question, you wrote:
>
> the following additionally exception switches are implemented:
>
> :PDF - adobe PDF file with embedded executable code or microsoft office
> macros files, JavaScript and bad URIs (NOT recommended to be used, false
> positives are expected)
> :CERTPDF - certificate signed adobe PDF file
> :JSPDF - adobe PDF file with JavaScript inside - notice: well known
> malicious JavaScript combinations will be blocked, even this option is
> defined
> :URIPDF - adobe PDF file with URIs to download exeutables from the web or
> to open local files
>
>
>
>
> I'm slightly confused by your red text though.. I take anything you
> suggest very seriously, especially so if it's in red. There seems to be a
> bit of a double negative in your above comments.
>
> If we just use exe-bin as a level 1 block, that would include anything in
> the PDF, CertPDF, JSPDF, and URIPDF category right? If we do exe-bin|:PDF
> that will block exe's but NOT those that are PDF files with embedded
> executable code or microsoft office macros files, JavaScript and bad URIs
> right? That seems to remove all of this new PDF blocking functionality or
> am I off base? Then you said in red that this is not recommended. I can't
> tell if you mean you recommend that we not use the :PDF exception (so don't
> so exe-bin|:PDF) or if you recommend that we do (exe-bin|:PDF) to best
> avoid false positives.
>
> Also, there can be MS office macros in a PDF?? And what kind of
> executable content is there in a PDF besides javascript? Based on your
> description, clearly that's the case - and I'd think I would want to block
> them, but I can't figure out how to do that if you (might be) recommending
> that we do exe-bin|:PDF.
>
> I'm clearly confused....
>
> Thanks so much - this should make a big difference!
>
> Ken
>
>
>
> On Sat, May 20, 2017 at 4:34 AM, Thomas Eckardt <
> thomas.ecka...@thockar.com> wrote:
>
>> published ASSP_AFC 4.50
>>
>> example results from the analyzer:
>>
>> *•* *URIBL check* <http://winsrv01:55555/#ValidateURIBL>: 'OK'
>> * • † • SuspiciousVirus:
>> Sanesecurity.Malware.26947.PdfHeur.DocmJS.UNOFFICIAL 'UNOFFICIAL'*
>> * • attachment Invoice 07853327 05/17/2017.PDF is an executable *
>> * •* *Not a Valid Format of HELO*
>> <http://winsrv01:55555/#DoValidFormatHelo>: '[*42.113.108.55*]'
>>
>> the following additionally exception switches are implemented:
>>
>> :PDF - adobe PDF file with embedded executable code or microsoft office
>> macros files, JavaScript and bad URIs (NOT recommended to be used, false
>> positives are expected)
>> :CERTPDF - certificate signed adobe PDF file
>> :JSPDF - adobe PDF file with JavaScript inside - notice: well known
>> malicious JavaScript combinations will be blocked, even this option is
>> defined
>> :URIPDF - adobe PDF file with URIs to download exeutables from the web
>> or to open local files
>>
>> Thomas
>>
>>
>> Von: Thomas Eckardt <thomas.ecka...@thockar.com>
>> An: ASSP development mailing list <assp-test@lists.sourceforge.net
>> >
>> Datum: 20.05.2017 07:17
>> Betreff: Re: [Assp-test] updated ASSP_AFC Plugin
>> ------------------------------
>>
>>
>>
>> ASSP_AFC 4.48 was too weak
>> ASSP_AFC 4.49 is possibly too strict, but very safe - it allows to use
>> the ':PDF' switch
>>
>> I'm just looking for a way to prevent false positives.
>>
>> Thomas
>>
>>
>>
>>
>>
>> Von: K Post <nntp.p...@gmail.com>
>> An: ASSP development mailing list <assp-test@lists.sourceforge.net
>> >
>> Datum: 19.05.2017 16:28
>> Betreff: Re: [Assp-test] updated ASSP_AFC Plugin
>> ------------------------------
>>
>>
>>
>> Here's a sample PDF with javascript that runs at startup (populates a
>> field with the current date).
>>
>> On Fri, May 19, 2017 at 10:16 AM, K Post <
>> *nntp.p...@gmail.com* <nntp.p...@gmail.com>> wrote:
>> I tested with this new plugin installed and exe-bin blocking. This
>> plugin now blocks all pdf's that have javascript embedded right? That's
>> not what I experienced.
>>
>> I created a simple pdf with a button. That button's action was to run
>> javascript to print the document. I emailed it to myself from gmail. It
>> was received, not blocked.
>>
>> Am I missing something?
>>
>> On Fri, May 19, 2017 at 9:48 AM, K Post <
>> *nntp.p...@gmail.com* <nntp.p...@gmail.com>> wrote:
>> Thanks for this!!!
>>
>> On Thu, May 18, 2017 at 10:22 AM, Thomas Eckardt <
>> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
>> Hi all,
>>
>> I've just published ASSP_AFC.pm version 4.48 at SF-CVS.
>>
>>
>> This version contains an extension to detect embedded executable code in
>> real PDF files, if 'exe-bin' files are not allowed in the assp
>> configuration.
>>
>>
>> Currently detected are:
>>
>> - java script - most times this is requred by the virus to open and run
>> any other embedded code
>>
>> - ms office macros
>> - exe and com files
>>
>> - wsh files
>>
>> This extension is hard coded. There is no way to make an exception to
>> (e.g) :PDF - like for :ELF, :CSC :MSOM ...... - because such files are
>> every time malicious!
>>
>>
>> Currently it seems, that another ransomware attack is starting in
>> preparation for the weekend! Distributed are such real PDF files per email!
>>
>> I don't think that there will be a stupid 'killswitch' in the new viruses
>> to save the world.
>>
>>
>> I just saw that ClamAV (sanesecurity signatures) detected most of them -
>> they all are classified as UNOFFICIAL !!!!.
>>
>>
>> Thomas
>>
>>
>>
>> DISCLAIMER:
>> *******************************************************
>> This email and any files transmitted with it may be confidential, legally
>> privileged and protected in law and are intended solely for the use of the
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> *******************************************************
>>
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
>> <http://sdm.link/slashdot>
>> _______________________________________________
>> Assp-test mailing list
>> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
>> *https://lists.sourceforge.net/lists/listinfo/assp-test*
>> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>>
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! *http://sdm.link/slashdot*
>> <http://sdm.link/slashdot>_______________________________________________
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> *https://lists.sourceforge.net/lists/listinfo/assp-test*
>> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>>
>>
>>
>>
>> DISCLAIMER:
>> *******************************************************
>> This email and any files transmitted with it may be confidential, legally
>> privileged and protected in law and are intended solely for the use of the
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> *******************************************************
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot______
>> _________________________________________
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>>
>>
>>
>> DISCLAIMER:
>> *******************************************************
>> This email and any files transmitted with it may be confidential, legally
>> privileged and protected in law and are intended solely for the use of the
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> *******************************************************
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
