>So, I guess the request is to add something to analyze for each file to say: FILE: whatever.ext would be stripped >or FILE: whatever.ext would be allowed
This is the same like for every check made by the analyzer. The analyzer is unable to "know", if a mail would be blocked or not - it only knows current matching results. If a mail is in real processing, checks and their results depends on other checks and internal flags. The analyzer makes checks independend from other results or flags. Thomas Von: "K Post" <nntp.p...@gmail.com> An: "ASSP development mailing list" <assp-test@lists.sourceforge.net> Datum: 11.01.2019 18:26 Betreff: [Assp-test] UserAttach Revisited Templating in UserAttach is great. Allows for the granular settings that we (unfortunately) require, with a simplicity of management 2 requests: 1) Review this UserAttach config to confirm there's no blaring errors or recommendations 2) Change analyze report to better indicate if a file will be stripped or allowed My current UserAttach configuration: # Template for all of our bad extensions, allow harmless MSOLE ~TmplStdBlockExts => exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|bin|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk # RULE that blocks bad extensions, based on the template ~~RuleStdBlocks => block ~TmplStdBlockExts # all users by default have the StdBlockRuleApplied # this would be overridden by a longer user part of the definition # longest userpart wins. NO inheritance *@*=> ~~RuleStdBlocks # scan compressed files too, same template except --bin to allow newer Office files which include bin files zip:*@* => block => ~TmplStdBlockExts|--bin # Some users allowed to get office macros no matter who they're from except...@ourcharity.org => block => ~TmplStdBlockExts|:MSOM # Allow some from outside orgs to send office macros to anyone *@External.org => block => ~TmplStdBlockExts|:MSOM # Allow some to send PDF's with javascript in them *@OtherExternal.org => block => ~TmplStdBlockExts|:JSPDF # Some alert only emails are unfiltered ale...@ourcharity.org => good => .* Analyze: I sent 2 test inbound emails from an external domain, both with an office macro XLS file. One was to except...@ourcharity.org the other to noexcept...@ourcharity.org. This worked as expected (yay!), the file was stripped from NoException@ and it did come through to Exception@ as I had hoped. In analyze however, it's not clear that this is the case: analyze of a mail to a regular address where the file was stripped: • attachment WithMacro.xls is or contains an executable - MS Office Macro (see UserAttach) [[ YUP, and it was blocked ]] • ZIP: t...@outsidedomain.com -> noexcept...@ourcharity.org => block => exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk|exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk (see UserAttach) • ZIP: t...@outsidedomain.com -> noexcept...@ourcharity.org => no 'good' rule found for compressed attachments (see UserAttach) • extension : WithMacro.xls passed UserAttach [[Yes, but it was blocked because MSOM was detected ]] • t...@outsidedomain.com -> noexcept...@ourcharity.org => block => exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|bin|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk|exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|bin|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk • t...@outsidedomain.com -> noexcept...@ourcharity.org => no 'good' rule found Could we change Analyze to show that the attachment will be stripped. The extension passed, but the macro makes it fail. analyze of the email with the matching exception: • attachment WithMacro.xls is or contains an executable - MS Office Macro (see UserAttach) [ yes, but allowed due to the MSOM exception for this user] • ZIP: t...@outsidedomain.com -> except...@ourcharity.org => block => exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk (see UserAttach) • ZIP: t...@outsidedomain.com -> except...@ourcharity.org => no 'good' rule found for compressed attachments (see UserAttach) • extension : WithMacro.xls passed UserAttach • t...@outsidedomain.com -> except...@ourcharity.org => block => exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|bin|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk|exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|bin|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk| :MSOM • t...@outsidedomain.com -> except...@ourcharity.org => no 'good' rule found No easily discernible difference from the analyze report that shows the same file being blocked unless you happen to catch the MSOM exception at the end of the consolidated rule (bold added for emphasis) So, I guess the request is to add something to analyze for each file to say: FILE: whatever.ext would be stripped or FILE: whatever.ext would be allowed That would make testing changes to UserAttach much easier by analyzing previous messages. _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *******************************************************
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test