Analyzer knows if the extension matches the UserAttach, could it also see if the file type based on detection would match UserAttach (including the :MSOM type of exceptions)?
Does my UserAttach example seem logical to you? thanks On Sat, Jan 12, 2019 at 3:15 AM Thomas Eckardt <thomas.ecka...@thockar.com> wrote: > >*So, I guess the request is to add something to analyze for each file to > say:* > FILE: whatever.ext would be stripped > >or > FILE: whatever.ext would be allowed > > > > This is the same like for every check made by the analyzer. The analyzer > is unable to "know", if a mail would be blocked or not - it only knows > current matching results. If a mail is in real processing, checks and their > results depends on other checks and internal flags. The analyzer makes > checks independend from other results or flags. > > Thomas > > > > Von: "K Post" <nntp.p...@gmail.com> > An: "ASSP development mailing list" < > assp-test@lists.sourceforge.net> > Datum: 11.01.2019 18:26 > Betreff: [Assp-test] UserAttach Revisited > ------------------------------ > > > > Templating in UserAttach is great. Allows for the granular settings that > we (unfortunately) require, with a simplicity of management > > 2 requests: > 1) Review this UserAttach config to confirm there's no blaring errors or > recommendations > 2) Change analyze report to better indicate if a file will be stripped or > allowed > > My current UserAttach configuration: > > # Template for all of our bad extensions, allow harmless MSOLE > ~TmplStdBlockExts => > exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|bin|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk > > # RULE that blocks bad extensions, based on the template > ~~RuleStdBlocks => block ~TmplStdBlockExts > > # all users by default have the StdBlockRuleApplied > # this would be overridden by a longer user part of the definition > # longest userpart wins. NO inheritance > *@*=> ~~RuleStdBlocks > > # scan compressed files too, same template except --bin to allow newer > Office files which include bin files > zip:*@* => block => ~TmplStdBlockExts|--bin > > # Some users allowed to get office macros no matter who they're from > except...@ourcharity.org => block => ~TmplStdBlockExts|:MSOM > > # Allow some from outside orgs to send office macros to anyone > *@External.org => block => ~TmplStdBlockExts|:MSOM > > # Allow some to send PDF's with javascript in them > *@OtherExternal.org => block => ~TmplStdBlockExts|:JSPDF > > # Some alert only emails are unfiltered > *ale...@ourcharity.org* <ale...@ourcharity.org> => good => .* > > Analyze: > I sent 2 test inbound emails from an external domain, both with an office > macro XLS file. One was to except...@ourcharity.org the other to > noexcept...@ourcharity.org. *This worked as expected* (yay!), the file > was stripped from NoException@ and it did come through to Exception@ as I > had hoped. > > In analyze however, it's not clear that this is the case: > > analyze of a mail to a regular address where the file was stripped: > • attachment WithMacro.xls is or contains an executable - MS Office Macro > (see UserAttach) * [[ YUP, and it was blocked ]]* > • ZIP: t...@outsidedomain.com -> *NoException*@OurCharity.org => block => > exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk|exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk > (see UserAttach) > • ZIP: t...@outsidedomain.com -> noexcept...@ourcharity.org => no 'good' > rule found for compressed attachments (see UserAttach) > • extension : WithMacro.xls passed UserAttach *[[Yes, but it was blocked > because MSOM was detected ]]* > • t...@outsidedomain.com -> noexcept...@ourcharity.org => block => > exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|bin|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk|exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|bin|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk > • t...@outsidedomain.com -> noexcept...@ourcharity.org => no 'good' rule > found > *Could we change Analyze to show that the attachment will be stripped. > The extension passed, but the macro makes it fail.* > > analyze of the email with the matching exception: > • attachment WithMacro.xls is or contains an executable - MS Office Macro > (see UserAttach) *[ yes, but allowed due to the MSOM exception for this > user]* > • ZIP: t...@outsidedomain.com -> except...@ourcharity.org => block => > exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk > (see UserAttach) > • ZIP: t...@outsidedomain.com -> except...@ourcharity.org => no 'good' > rule found for compressed attachments (see UserAttach) > • extension : WithMacro.xls passed UserAttach > • t...@outsidedomain.com -> except...@ourcharity.org => block => > exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|bin|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk|exe\-bin|:HLMSOLE|asx|dot|dotx|xlt|xlts|bin|dbx|dll|htb|ifs|mht|nch|vba|wms|rar|dotm|docm|xlsm|pptm|ade|adp|app|appcontent-ms|application|asp|bas|bat|cer|chm|cmd|cnt|com|cpl|crt|csh|der|diagcab|exe|fxp|gadget|grp|hlp|hpj|hta|inf|ins|iso|isp|its|jar|jnlp|js|jse|ksh|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mdb|mde|mdt|mdw|mdz|msc|msh|msh1|msh2|mshxml|msh1xml|msh2xml|msi|msp|mst|msu|ops|osd|pcd|pif|pl|plg|prf|prg|printerexport|ps1|ps1xml|ps2|ps2xml|psc1|psc2|psd1|psdm1|pst|reg|scf|scr|sct|settingcontent-ms|shb|shs|theme|tmp|url|vb|vbe|vbp|vbs|vsmacros|vsw|webpnp|website|ws|wsc|wsf|wsh|xbap|xll|xnk|*:MSOM > * > • t...@outsidedomain.com -> except...@ourcharity.org => no 'good' rule > found > No easily discernible difference from the analyze report that shows the > same file being blocked unless you happen to catch the MSOM exception at > the end of the consolidated rule (bold added for emphasis) > > *So, I guess the request is to add something to analyze for each file to > say:* > FILE: whatever.ext would be stripped > or > FILE: whatever.ext would be allowed > That would make testing changes to UserAttach much easier by analyzing > previous messages. > > > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test > > > > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test >
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
