The attachment passes all attachent checks, if the sha256 hash is found.(a single good match) - what is wrong in the description?
... the attachment passes the attachment check for all mails (regardless its extension and the settings in UserAttach). ... Deeply analyzing PDF's is not a great deal. But how would an admin know, which JavaScript or StreamData are significant ? Certificates and signatures are no problem. A possible information from assp would look like: 1-Certificate : d94143503b9ed5f0b90dd1af0e3fc62bf3db75fee2beaf96a2cfc971138fd06d 2-Signarure : f7ac43007dc320fbf2e9e2daca5e46c900be53b20d7816b00459b7f7aee8f122 3-JavaScript : fe32398961094fbfb2eaafaf6b3bb4fc8a47b15f0704a6a1f8fc3dd246887f6d 3-JavaScript : fe29619ec860d32f75ab58031c5026e8e275ec219f8c870d37286d330eec7d48 3-JavaScript : fa1d8c34a615fae6ef15c252f22be52da3e06d8edf1b128014ba8d4ba3e9bbe5 3-JavaScript : c0509a487a18b003ba05e505419ebb63e57a29158073e381f57160b5c5b86426 3-JavaScript : 2b11ec4ab6212f1d04dfd518b4e7148f5e73f838252b2672c6c4e57b691eebe2 3-JavaScript : 28d9dbd1b4a87869a308c824e9ede90f042537135484ef44a7c9ad16122e7ca4 3-JavaScript : cb132c85677fd2be28f5d55c3bb7239b7f30ab5d3494e33500a9ea72704899e9 3-JavaScript : f9d89262795f905244474dabf7997637dada651edbaf7a286da3f08dc8205cb8 3-JavaScript : dfa51a9b86cd74123e8a0e369f4b92c9dc95b81d706dba3de1529cb5cc7ed275 3-JavaScript : 0e1a45b7fc760bfebc03e3b33fe4a6d924f98c651595f4cb340138bb494faae8 3-JavaScript : f1d645ff3ec500f0048bc66b13624594caa254589d8f2ae46c803f2bd9019ca9 3-JavaScript : fa1d8c34a615fae6ef15c252f22be52da3e06d8edf1b128014ba8d4ba3e9bbe5 3-JavaScript : 7078cc2d57a1e40f441369acaad75ab708c853289b2a3e7e1f0a3f56637c6e69 3-JavaScript : 27349853cead109b42036ca1ddac0f560e69677c8fc0e99552c3136fbe9066ff 4-StreamData : 20fb30343a0a17884fed77a1aa5cae4c9f972ac718bb8a1b1cbf11d4bbcdd597 4-StreamData : 1b3722144d06bfd0ea06da2797a914529fb179b572fd744d70003a0c228b06ce 4-StreamData : c760cd9bd071ee005519aac9f23a801504bfd9b9f46a29c3ad7f16a37eeb98ce 4-StreamData : 32e06223ddc4718ee0194e1fbc3cdf3135f836dbef633370158e92d56015322a 4-StreamData : 816e4198443446653b0bc698ffa2f51b54467f7a3b0af0d92e3ef95cd87e8a82 4-StreamData : d334030a1cac5ba2e177b3966bdcfd8086b1a38da0c991b8093b875ee43ba367 4-StreamData : bf3909ea48da420e1090165e3c10de456c3ba475afd0a3c60ca39b08f821742b 4-StreamData : bcc1cba660e048ddedeca1ac00e4c958c8026a5128ed4708b7de110b53b0980c 4-StreamData : 6f7108c9bcdd731b1685550122a6a274e9c27b31fb03cbb8546ca886fff8a826 4-StreamData : f63862478cf5cdbe0248f3f9f5c0e42a85216fb1584b81e8301ebf4f1410a826 4-StreamData : 1eadca6218952c1756813d07762c9808a8f41f84ee93fcfc29a83fb4854aa020 Thomas Von: "K Post" <nntp.p...@gmail.com> An: "ASSP development mailing list" <assp-test@lists.sourceforge.net> Datum: 16.01.2019 15:12 Betreff: Re: [Assp-test] fixed in assp 2.6.4 *SPAM-Evaporator* build 19015 Love the name! Great idea on the good EXE implementation. With office files, we're now going to put the hash of the vbaproject.bin files that we want to pass which will let us accept different excel files from them as long as the code is the same. This is a HUGE improvement! Thank you. For PDF exceptions, your example seems to show the hash of the entire PDF. Is there a way to somehow hash only the javascript in a PDF so that different PDF bodies but with identical javascript will be passed through? (some of our vendors, especially travel agencies, seem to send PDF's with what I assume is the same javascript embedded in different travel itineraries. I assume that if a compressed file (MS office) has a vbaproject.bin file that passes but some other content in the file doesn't (maybe a malicious actor puts a good vbaproject.bin file in a zip and then an exe) that this file will be stripped instead of having it passed because of the single good match? On Tue, Jan 15, 2019 at 9:46 AM Thomas Eckardt <thomas.ecka...@thockar.com > wrote: Hi all, fixed in assp 2.6.4 *SPAM-Evaporator* build 19015: added: - ASSP_AFC 5.01 is released - it includes a new extension 'ASSP_AFCKnownGoodEXE','Well Known Good Executable Files' 'Put the SHA256_HEX hash of all well known good executables in to this file (one per line). If the SHA256_HEX hash (not case sensitive) of an attachment or a part of a compressed attachment (e.g. exe, *.bin MS-Macro or OLE) is equal to a line in this file, the attachment passes the attachment check for all mails (regardless its extension and the settings in UserAttach). Comments are allowed after the hash and at the begin of a line. If configured, the analyzer and the maillog.txt will show the SHA256_HEX hash and the optional defined comment for all detected executables. For security reasons, virus scanning is not skipped. Notice: this feature is mainly created for executable files, but it will work for every attachment and every part of a compressed attachment. For example - this can be usefull, if clients regular sending or receiving documents or excel sheets, which contains every time the same MS-Macro/MS-OLE (e.g. executable). In this case, decompress the doc[xm] and calculate the SHA256_HEX hash for the vbaProject.bin or the vbaProjectSignature.bin file and register the hash here. examples: # sales documents a704ebf55efa5bb8079bb2ea1de54bfd5e9a0f7ed3a38867759b81bfc7b2cc9c # sales price_list.pdf - contains Java-Script 08d5518ef129ba1a992f5eb5c25e497cf886556710ffebe7cfb6aedf9d5727c9 # VBA Macrco vbaProject.bin in sales info.docm To show the SHA256_HEX value for a file at the command line, execute :>shasum -a 256 the_file_name' changed: - the default value for 'DoNoFromSelect' is changed from 63 to 59 option 4 - multiple from: addresses or from: header tags found (potential 2x score if option 2 is also enabled) - caused too many false positives Thomas DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! ******************************************************* _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test _______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! *******************************************************
_______________________________________________ Assp-test mailing list Assp-test@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/assp-test
