Love the name! Great idea on the good EXE implementation. With office files, we're now going to put the hash of the vbaproject.bin files that we want to pass which will let us accept different excel files from them as long as the code is the same. This is a HUGE improvement! Thank you.
For PDF exceptions, your example seems to show the hash of the entire PDF. Is there a way to somehow hash only the javascript in a PDF so that different PDF bodies but with identical javascript will be passed through? (some of our vendors, especially travel agencies, seem to send PDF's with what I assume is the same javascript embedded in different travel itineraries. I assume that if a compressed file (MS office) has a vbaproject.bin file that passes but some other content in the file doesn't (maybe a malicious actor puts a good vbaproject.bin file in a zip and then an exe) that this file will be stripped instead of having it passed because of the single good match? On Tue, Jan 15, 2019 at 9:46 AM Thomas Eckardt <thomas.ecka...@thockar.com> wrote: > Hi all, > > fixed in assp 2.6.4 *SPAM-Evaporator* build 19015: > > added: > > - ASSP_AFC 5.01 is released - it includes a new extension > > 'ASSP_AFCKnownGoodEXE','Well Known Good Executable Files' > > 'Put the SHA256_HEX hash of all well known good executables in to this > file (one per line). If the SHA256_HEX hash (not case sensitive) of an > attachment or a part of a compressed attachment > (e.g. exe, *.bin MS-Macro or OLE) is equal to a line in this file, the > attachment passes the attachment check for all mails (regardless its > extension and the settings in UserAttach). > Comments are allowed after the hash and at the begin of a line. > If configured, the analyzer and the maillog.txt will show the SHA256_HEX > hash and the optional defined comment for all detected executables. > For security reasons, virus scanning is not skipped. > Notice: this feature is mainly created for executable files, but it will > work for every attachment and every part of a compressed attachment. > For example - this can be usefull, if clients regular sending or > receiving documents or excel sheets, which contains every time the same > MS-Macro/MS-OLE (e.g. executable). > In this case, decompress the doc[xm] and calculate the SHA256_HEX hash > for the vbaProject.bin or the vbaProjectSignature.bin file and register the > hash here. > examples: > > # sales documents > a704ebf55efa5bb8079bb2ea1de54bfd5e9a0f7ed3a38867759b81bfc7b2cc9c # sales > price_list.pdf - contains Java-Script > 08d5518ef129ba1a992f5eb5c25e497cf886556710ffebe7cfb6aedf9d5727c9 # VBA > Macrco vbaProject.bin in sales info.docm > > To show the SHA256_HEX value for a file at the command line, execute > :>shasum -a 256 the_file_name' > > > changed: > > - the default value for 'DoNoFromSelect' is changed from 63 to 59 > option 4 - multiple from: addresses or from: header tags found > (potential 2x score if option 2 is also enabled) - caused too many false > positives > > > > Thomas > > DISCLAIMER: > ******************************************************* > This email and any files transmitted with it may be confidential, legally > privileged and protected in law and are intended solely for the use of the > individual to whom it is addressed. > This email was multiple times scanned for viruses. There should be no > known virus in this email! > ******************************************************* > > _______________________________________________ > Assp-test mailing list > Assp-test@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/assp-test >
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
