oh, and on the PDF front, if we know that a travel agency always has the
same javascript in a PDF that we've inspected and seemed to just be a
button click trigger or something that clears a form or whatever innocuous,
we'd manually add that to the exceptions.

Is your example of the parts of the PDF the way that ASSP currently sees
it, or is is just currently doing a hash of the whole thing?  If it's
already doing the different parts of the PDF, can you tell me how?  Maybe
we (I mean you) could have a perl script that would calculate this for a
provided file, showing which hash is for what content (displaying the
javascript that matches that hash) so we as administrators could tell
what's what?



On Fri, Jan 18, 2019 at 9:36 AM K Post <nntp.p...@gmail.com> wrote:

> My confusion is if a single match will allow a *compressed* file through
> even if *other files in that same compressed* file would have caused the
> compressed file to be blocked on their own before this functionality was
> added.   ASSP has always treated files within zip files differently, 2
> lines needed in UserAttach for non-compressed and compressed, etc.  I just
> don't think that the short description you have explains enough, and I'm
> worried that the functionality it's ripe for abuse too.
>
> Nothing is wrong with your description, per se, except for the spelling
> error, but I would have written this as a bit more descriptively, to
> clearly state that just one match will pass the whole file, even if it's
> compressed and has other bad content.  Something more like:
>
> If an excepted sha356 hash is found for an attached file, it will pass all
> attachment checks.  If a zip, MS Office, or otherwise compressed file is
> attached and any excepted sha356 hash is found on a file contained in that
> compressed attachment, the entire compressed attachment will file.be
> permitted regardless of the remaining content.
>
>
> What I hoped the functionality would have been is:
>
> If an excepted sha356 hash is found for an attached file, it will pass all
> attachment checks.  If a zip, MS Office, or otherwise compressed file is
> attached and an excepted sha356 hash is found on a file contained in that
> compressed attachment, *that portion of the compressed file will not
> trigger blocking/stripping, but the remainder of the compressed file will
> still be scanned.*
>
>
> My reasoning:
> Consider the scenario where a vendor always sends excel quotations to us
> with the same office macros in them.  Previously, I needed to have a
> UserAttach exception for the sending domain, which I hated.  That meant the
> vendor could send us ANY MS office macro files. Now I can find an example
> quotation, get the sha256 of the vbaproject.bin, and make the exception
> that way.  That's great so far, exactly why you built this excellent hash
> checking functionaltiy.
>
> But what if that vendor is compromised internally or otherwise?  If
> someone takes one of those quotes, tosses it into a zip file along with a
> malicious EXE file that gives then remote access and tells our haphazardly
> clicking front office person to run the EXE in the body of the email?  Am I
> understanding correctly that because the sha256 of the vbaproject.bin file
> in the excel file passes that the outer zip file containing the excel file
> and the bad EXE will be passed too no matter what else is found in the
> attachments ? (that's what I'm interpreting from your "The attachment
> passes all attachent checks, if the sha256 hash is found" language.  If
> that's the case, I'd recommend instead having the detection of the sha256
> for the vbaproject.bin not trigger removal/block even though it is detected
> as an office macro that would otherwise be blocked, but still have the rest
> of the attachment scans continue.  If an EXE is found, strip the whole zip
> file, even though we have a hash match on another portion of the compressed
> file.  If only the sha256 matching vbaproject.bin is found and nothing else
> bad, let the attachment through even though a MS office macro is detected
> in that file.  See what I mean?
>
>
> On Thu, Jan 17, 2019 at 10:06 AM Thomas Eckardt <
> thomas.ecka...@thockar.com> wrote:
>
>> The attachment passes all attachent checks, if the sha256 hash is
>> found.(a single good match) - what is wrong in the description?
>>
>> ...
>>  the attachment passes the attachment check for all mails (regardless its
>> extension and the settings in UserAttach).
>> ...
>>
>> Deeply analyzing PDF's is not a great deal. But how would an admin know,
>> which JavaScript or StreamData are significant ? Certificates and
>> signatures are no problem.
>>
>> A possible information from assp would look like:
>>
>> 1-Certificate :
>> d94143503b9ed5f0b90dd1af0e3fc62bf3db75fee2beaf96a2cfc971138fd06d
>> 2-Signarure :
>> f7ac43007dc320fbf2e9e2daca5e46c900be53b20d7816b00459b7f7aee8f122
>> 3-JavaScript  :
>> fe32398961094fbfb2eaafaf6b3bb4fc8a47b15f0704a6a1f8fc3dd246887f6d
>> 3-JavaScript  :
>> fe29619ec860d32f75ab58031c5026e8e275ec219f8c870d37286d330eec7d48
>> 3-JavaScript  :
>> fa1d8c34a615fae6ef15c252f22be52da3e06d8edf1b128014ba8d4ba3e9bbe5
>> 3-JavaScript  :
>> c0509a487a18b003ba05e505419ebb63e57a29158073e381f57160b5c5b86426
>> 3-JavaScript  :
>> 2b11ec4ab6212f1d04dfd518b4e7148f5e73f838252b2672c6c4e57b691eebe2
>> 3-JavaScript  :
>> 28d9dbd1b4a87869a308c824e9ede90f042537135484ef44a7c9ad16122e7ca4
>> 3-JavaScript  :
>> cb132c85677fd2be28f5d55c3bb7239b7f30ab5d3494e33500a9ea72704899e9
>> 3-JavaScript  :
>> f9d89262795f905244474dabf7997637dada651edbaf7a286da3f08dc8205cb8
>> 3-JavaScript  :
>> dfa51a9b86cd74123e8a0e369f4b92c9dc95b81d706dba3de1529cb5cc7ed275
>> 3-JavaScript  :
>> 0e1a45b7fc760bfebc03e3b33fe4a6d924f98c651595f4cb340138bb494faae8
>> 3-JavaScript  :
>> f1d645ff3ec500f0048bc66b13624594caa254589d8f2ae46c803f2bd9019ca9
>> 3-JavaScript  :
>> fa1d8c34a615fae6ef15c252f22be52da3e06d8edf1b128014ba8d4ba3e9bbe5
>> 3-JavaScript  :
>> 7078cc2d57a1e40f441369acaad75ab708c853289b2a3e7e1f0a3f56637c6e69
>> 3-JavaScript  :
>> 27349853cead109b42036ca1ddac0f560e69677c8fc0e99552c3136fbe9066ff
>> 4-StreamData  :
>> 20fb30343a0a17884fed77a1aa5cae4c9f972ac718bb8a1b1cbf11d4bbcdd597
>> 4-StreamData  :
>> 1b3722144d06bfd0ea06da2797a914529fb179b572fd744d70003a0c228b06ce
>> 4-StreamData  :
>> c760cd9bd071ee005519aac9f23a801504bfd9b9f46a29c3ad7f16a37eeb98ce
>> 4-StreamData  :
>> 32e06223ddc4718ee0194e1fbc3cdf3135f836dbef633370158e92d56015322a
>> 4-StreamData  :
>> 816e4198443446653b0bc698ffa2f51b54467f7a3b0af0d92e3ef95cd87e8a82
>> 4-StreamData  :
>> d334030a1cac5ba2e177b3966bdcfd8086b1a38da0c991b8093b875ee43ba367
>> 4-StreamData  :
>> bf3909ea48da420e1090165e3c10de456c3ba475afd0a3c60ca39b08f821742b
>> 4-StreamData  :
>> bcc1cba660e048ddedeca1ac00e4c958c8026a5128ed4708b7de110b53b0980c
>> 4-StreamData  :
>> 6f7108c9bcdd731b1685550122a6a274e9c27b31fb03cbb8546ca886fff8a826
>> 4-StreamData  :
>> f63862478cf5cdbe0248f3f9f5c0e42a85216fb1584b81e8301ebf4f1410a826
>> 4-StreamData  :
>> 1eadca6218952c1756813d07762c9808a8f41f84ee93fcfc29a83fb4854aa020
>>
>>
>> Thomas
>>
>>
>>
>> Von:        "K Post" <nntp.p...@gmail.com>
>> An:        "ASSP development mailing list" <
>> assp-test@lists.sourceforge.net>
>> Datum:        16.01.2019 15:12
>> Betreff:        Re: [Assp-test] fixed in assp 2.6.4 *SPAM-Evaporator*
>> build 19015
>> ------------------------------
>>
>>
>>
>> Love the name!
>>
>> Great idea on the good EXE implementation. With office files, we're now
>> going to put the hash of the vbaproject.bin files that we want to pass
>> which will let us accept different excel files from them as long as the
>> code is the same.  This is a HUGE improvement!  Thank you.
>>
>> For PDF exceptions, your example seems to show the hash of the entire
>> PDF.  Is there a way to somehow hash only the javascript in a PDF so that
>> different PDF bodies but with identical javascript will be passed through?
>> (some of our vendors, especially travel agencies, seem to send PDF's with
>> what I assume is the same javascript embedded in different travel
>> itineraries.
>>
>> I assume that if a compressed file (MS office) has a vbaproject.bin file
>> that passes but some other content in the file doesn't (maybe a malicious
>> actor puts a good vbaproject.bin file in a zip and then an exe) that this
>> file will be stripped instead of having it passed because of the single
>> good match?
>>
>>
>>
>>
>>
>> On Tue, Jan 15, 2019 at 9:46 AM Thomas Eckardt <
>> *thomas.ecka...@thockar.com* <thomas.ecka...@thockar.com>> wrote:
>> Hi all,
>>
>> fixed in assp 2.6.4 *SPAM-Evaporator* build 19015:
>>
>> added:
>>
>> - ASSP_AFC 5.01 is released - it includes a new extension
>>
>>  'ASSP_AFCKnownGoodEXE','Well Known Good Executable Files'
>>
>>  'Put the SHA256_HEX hash of all well known good executables in to this
>> file (one per line). If the SHA256_HEX hash (not case sensitive) of an
>> attachment or a part of a compressed attachment
>>  (e.g. exe, *.bin MS-Macro or OLE) is equal to a line in this file, the
>> attachment passes the attachment check for all mails (regardless its
>> extension and the settings in UserAttach).
>>  Comments are allowed after the hash and at the begin of a line.
>>  If configured, the analyzer and the maillog.txt will show the SHA256_HEX
>> hash and the optional defined comment for all detected executables.
>>  For security reasons, virus scanning is not skipped.
>>  Notice: this feature is mainly created for executable files, but it will
>> work for every attachment and every part of a compressed attachment.
>>  For example - this can be usefull, if clients regular sending or
>> receiving documents or excel sheets, which contains every time the same
>> MS-Macro/MS-OLE (e.g. executable).
>>  In this case, decompress the doc[xm] and calculate the SHA256_HEX hash
>> for the vbaProject.bin or the vbaProjectSignature.bin file and register the
>> hash here.
>>  examples:
>>
>>  # sales documents
>>  a704ebf55efa5bb8079bb2ea1de54bfd5e9a0f7ed3a38867759b81bfc7b2cc9c # sales
>> price_list.pdf - contains Java-Script
>>  08d5518ef129ba1a992f5eb5c25e497cf886556710ffebe7cfb6aedf9d5727c9 # VBA
>> Macrco vbaProject.bin in sales info.docm
>>
>>  To show the SHA256_HEX value for a file at the command line, execute
>> :>shasum -a 256 the_file_name'
>>
>>
>> changed:
>>
>> - the default value for 'DoNoFromSelect' is changed from 63 to 59
>>   option 4 - multiple from: addresses or from: header tags found
>> (potential 2x score if option 2 is also enabled) - caused too many false
>> positives
>>
>>
>>
>> Thomas
>>
>> DISCLAIMER:
>> *******************************************************
>> This email and any files transmitted with it may be confidential, legally
>> privileged and protected in law and are intended solely for the use of the
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> *******************************************************
>>
>> _______________________________________________
>> Assp-test mailing list
>> *Assp-test@lists.sourceforge.net* <Assp-test@lists.sourceforge.net>
>> *https://lists.sourceforge.net/lists/listinfo/assp-test*
>> <https://lists.sourceforge.net/lists/listinfo/assp-test>
>> _______________________________________________
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>>
>>
>>
>> DISCLAIMER:
>> *******************************************************
>> This email and any files transmitted with it may be confidential, legally
>> privileged and protected in law and are intended solely for the use of the
>> individual to whom it is addressed.
>> This email was multiple times scanned for viruses. There should be no
>> known virus in this email!
>> *******************************************************
>>
>> _______________________________________________
>> Assp-test mailing list
>> Assp-test@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test

Reply via email to