ASSP start up errors

Next Topic
 
classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

ASSP start up errors

James Moe-2
Hello,
  linux 4.4.70-18.9-default x86_64
  assp 2.5.5 (17073)
  perl 5.18.2

  Error messages noted when ASSP starts.
  Is there a recommended way to load ASSP_AFC? Or is this a PERL
configuration issue?

using Perl /usr/bin/perl version 5.018002 (5.18.2), all Perl features
for 5.18 are enabled
compiling code and check code integrity - please wait .....
checking config in /usr/local/bin/assp2/assp.cfg            [OK]
error: preload plugin ASSP_AFC failed in 'use' -
Bareword "Archive::Extract::TGZ" not allowed while "strict subs" in use
at /usr/local/bin/assp2/Plugins/ASSP_AFC.pm line 1877.
...[other similar errors]...
Bareword "ARCHIVE_OK" not allowed while "strict subs" in use at
/usr/local/bin/assp2/Plugins/ASSP_AFC.pm line 1950.
Bareword "ARCHIVE_WARN" not allowed while "strict subs" in use at
/usr/local/bin/assp2/Plugins/ASSP_AFC.pm line 1950.
Compilation failed in require at (eval 29) line 2.
BEGIN failed--compilation aborted at (eval 29) line 2.

the assp.pl code of version 2.5.5(17073) passed the integrity check
ASSP uses AsspSelfLoader 2.03 - check [OK]
...[ other OKs ]...

  Here is the result from "cpan Archive::Extract::TGZ":

Could not expand [Archive::Extract::TGZ]. Check the module name.
I can suggest names if you install one of Text::Levenshtein::XS,
Text::Levenshtein::Damerau::XS, Text::Levenshtein, and
Text::Levenshtein::Damerau::PP
Skipping Archive::Extract::TGZ because I couldn't find a matching namespace.


  cpan indicates that "Archive::Extract" is current.



--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ASSP start up errors

Thomas Eckardt/eck
>  Is there a recommended way to load ASSP_AFC? Or is this a PERL
configuration issue?

seems your ASSP_AFC.pm is outdated.

Thomas





Von:        James Moe <[hidden email]>
An:        ASSP development mailing list <[hidden email]>
Datum:        29.06.2017 22:26
Betreff:        [Assp-test] ASSP start up errors




Hello,
 linux 4.4.70-18.9-default x86_64
 assp 2.5.5 (17073)
 perl 5.18.2

 Error messages noted when ASSP starts.
 Is there a recommended way to load ASSP_AFC? Or is this a PERL
configuration issue?

using Perl /usr/bin/perl version 5.018002 (5.18.2), all Perl features
for 5.18 are enabled
compiling code and check code integrity - please wait .....
checking config in /usr/local/bin/assp2/assp.cfg            [OK]
error: preload plugin ASSP_AFC failed in 'use' -
Bareword "Archive::Extract::TGZ" not allowed while "strict subs" in use
at /usr/local/bin/assp2/Plugins/ASSP_AFC.pm line 1877.
...[other similar errors]...
Bareword "ARCHIVE_OK" not allowed while "strict subs" in use at
/usr/local/bin/assp2/Plugins/ASSP_AFC.pm line 1950.
Bareword "ARCHIVE_WARN" not allowed while "strict subs" in use at
/usr/local/bin/assp2/Plugins/ASSP_AFC.pm line 1950.
Compilation failed in require at (eval 29) line 2.
BEGIN failed--compilation aborted at (eval 29) line 2.

the assp.pl code of version 2.5.5(17073) passed the integrity check
ASSP uses AsspSelfLoader 2.03 - check                                                   [OK]
...[ other OKs ]...

 Here is the result from "cpan Archive::Extract::TGZ":

Could not expand [Archive::Extract::TGZ]. Check the module name.
I can suggest names if you install one of Text::Levenshtein::XS,
Text::Levenshtein::Damerau::XS, Text::Levenshtein, and
Text::Levenshtein::Damerau::PP
Skipping Archive::Extract::TGZ because I couldn't find a matching namespace.


 cpan indicates that "Archive::Extract" is current.



--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test






DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ASSP start up errors

Colin
In reply to this post by James Moe-2
Have you made sure you have the latest ASSP_AFC? All require perl
modules installed and up to date?

It is easy to fall into the trap of only updating assp.pl and not
checking for any of the other many files that may have been updated!


On 29/06/2017 21:25, James Moe wrote:

> Hello,
>    linux 4.4.70-18.9-default x86_64
>    assp 2.5.5 (17073)
>    perl 5.18.2
>
>    Error messages noted when ASSP starts.
>    Is there a recommended way to load ASSP_AFC? Or is this a PERL
> configuration issue?
>
> using Perl /usr/bin/perl version 5.018002 (5.18.2), all Perl features
> for 5.18 are enabled
> compiling code and check code integrity - please wait .....
> checking config in /usr/local/bin/assp2/assp.cfg            [OK]
> error: preload plugin ASSP_AFC failed in 'use' -
> Bareword "Archive::Extract::TGZ" not allowed while "strict subs" in use
> at /usr/local/bin/assp2/Plugins/ASSP_AFC.pm line 1877.
> ...[other similar errors]...
> Bareword "ARCHIVE_OK" not allowed while "strict subs" in use at
> /usr/local/bin/assp2/Plugins/ASSP_AFC.pm line 1950.
> Bareword "ARCHIVE_WARN" not allowed while "strict subs" in use at
> /usr/local/bin/assp2/Plugins/ASSP_AFC.pm line 1950.
> Compilation failed in require at (eval 29) line 2.
> BEGIN failed--compilation aborted at (eval 29) line 2.
>
> the assp.pl code of version 2.5.5(17073) passed the integrity check
> ASSP uses AsspSelfLoader 2.03 - check [OK]
> ...[ other OKs ]...
>
>    Here is the result from "cpan Archive::Extract::TGZ":
>
> Could not expand [Archive::Extract::TGZ]. Check the module name.
> I can suggest names if you install one of Text::Levenshtein::XS,
> Text::Levenshtein::Damerau::XS, Text::Levenshtein, and
> Text::Levenshtein::Damerau::PP
> Skipping Archive::Extract::TGZ because I couldn't find a matching namespace.
>
>
>    cpan indicates that "Archive::Extract" is current.
>
>
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ASSP start up errors

James Moe-2
In reply to this post by Thomas Eckardt/eck
On 06/30/2017 11:03 PM, Thomas Eckardt wrote:
>> Is there a recommended way to load ASSP_AFC? Or is this a PERL
> configuration issue?
>
> seems your ASSP_AFC.pm is outdated.
>
  It is the version distributed with ASSP 2.5.5 (17030):
103060 Feb 28 09:33 ASSP_AFC.pm

--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ASSP start up errors

James Moe-2
In reply to this post by Colin
On 07/01/2017 01:51 AM, Colin wrote:
> Have you made sure you have the latest ASSP_AFC?
>
  It is the version distributed with 2.5.5 (17030):
103060 Feb 28 09:33 ASSP_AFC.pm

> All require perl
> modules installed and up to date?
>
  Yes.

--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ASSP start up errors

Thomas Eckardt/eck
In reply to this post by James Moe-2
use the latest ASSP_AFC.pm

version: 4.55
from: 07.06.2017

http://assp.cvs.sourceforge.net/viewvc/assp/assp2/Plugins/ASSP_AFC_V4_SMIME/

Thomas





Von:        James Moe <[hidden email]>
An:        [hidden email]
Datum:        01.07.2017 21:00
Betreff:        Re: [Assp-test] ASSP start up errors




On 06/30/2017 11:03 PM, Thomas Eckardt wrote:
>> Is there a recommended way to load ASSP_AFC? Or is this a PERL
> configuration issue?
>
> seems your ASSP_AFC.pm is outdated.
>
 It is the version distributed with ASSP 2.5.5 (17030):
103060 Feb 28 09:33 ASSP_AFC.pm

--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test






DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ASSP start up errors

James Moe-2
On 07/01/2017 10:04 PM, Thomas Eckardt wrote:
> use the latest ASSP_AFC.pm
>
> version: 4.55
> from: 07.06.2017
>
  Did that:
108896 Jun  7 15:38 ASSP_AFC.pm

  Same set of errors.

error: preload plugin ASSP_AFC failed in 'use' -
Bareword "Archive::Extract::TGZ" not allowed while "strict subs" in use
at /usr/local/bin/assp2/Plugins/ASSP_AFC.pm line 1980.
... etc ...

--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: {DKIM Fail} ASSP start up errors

James Moe-2
In reply to this post by James Moe-2
On 06/29/2017 01:25 PM, James Moe wrote:
>
> checking config in /usr/local/bin/assp2/assp.cfg            [OK]
> error: preload plugin ASSP_AFC failed in 'use' -
> Bareword "Archive::Extract::TGZ" not allowed while "strict subs" in use
> at /usr/local/bin/assp2/Plugins/ASSP_AFC.pm line 1877.
>
  No one knows what these errors are about?

--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: {DKIM Fail} ASSP start up errors

James Moe-2
In reply to this post by James Moe-2
On 06/29/2017 01:25 PM, James Moe wrote:
>
> error: preload plugin ASSP_AFC failed in 'use' -
> Bareword "Archive::Extract::TGZ" not allowed while "strict subs" in use
> at /usr/local/bin/assp2/Plugins/ASSP_AFC.pm line 1877.
> ...[other similar errors]...
>
  No one knows what these errors are, then.
  I'll treat them as "known good errors" and move on.

--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: {DKIM Fail} ASSP start up errors

Thomas Eckardt/eck
>Bareword "Archive::Extract::TGZ"

I can prevent the error at startup - but this would lead in to unexpected behavior at run time.

There must be something wrong with the Archive::Extract module installation.

Thomas





Von:        James Moe <[hidden email]>
An:        [hidden email]
Datum:        16.07.2017 20:27
Betreff:        Re: [Assp-test] {DKIM Fail}  ASSP start up errors




On 06/29/2017 01:25 PM, James Moe wrote:
>
> error: preload plugin ASSP_AFC failed in 'use' -
> Bareword "Archive::Extract::TGZ" not allowed while "strict subs" in use
> at /usr/local/bin/assp2/Plugins/ASSP_AFC.pm line 1877.
> ...[other similar errors]...
>
 No one knows what these errors are, then.
 I'll treat them as "known good errors" and move on.

--
James Moe
moe dot james at sohnen-moe dot com
520.743.3936
Think.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test






DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Attachment from "good" list blocked

Robert K Coffman Jr. -Info From Data Corp.
https://pastebin.com/NKPYnZsD


I have UserAttach set up for huntington.com (see bottom of the paste)
but their html attachments are still being blocked.  Why is that?

Thanks -

Bob



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Attachment from "good" list blocked

Robert K Coffman Jr. -Info From Data Corp.
Anyone?  I have a customer that is being negatively affected by this,
and I can't answer why this is so.

- Bob

On 7/18/2017 11:58 AM, Robert K Coffman Jr. -Info From Data Corp. wrote:

> https://pastebin.com/NKPYnZsD
>
>
> I have UserAttach set up for huntington.com (see bottom of the paste)
> but their html attachments are still being blocked.  Why is that?
>
> Thanks -
>
> Bob
>
>
>
> ------------------------------------------------------------------------------
>
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Attachment from "good" list blocked

GrayHat
In reply to this post by Robert K Coffman Jr. -Info From Data Corp.
:: On Tue, 18 Jul 2017 11:58:09 -0400
:: <[hidden email]>
:: "Robert K Coffman Jr. -Info From Data Corp."
<[hidden email]> wrote:

> https://pastebin.com/NKPYnZsD
>
>
> I have UserAttach set up for huntington.com (see bottom of the paste)
> but their html attachments are still being blocked.  Why is that?

Jul-18-17 09:58:09 m1-86288-10388 [Worker_1] [TLS-in] [Attachment]
170.128.35.52 <[hidden email]> to:
[hidden email] SPAM FOUND bad attachment
'securedoc_20170718T095806.html' cause: 'Java script - possibly locky
(ransomware) virus'

check out where you defined that "possibly locky..." message and you'll
find what's blocking the mail

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Attachment from "good" list blocked

Robert K Coffman Jr. -Info From Data Corp.
I didn't define it - it is hardcoded in ASSP_AFC (in my case, 4.55).
Part of setting up ASSP_AFC is configuring userattach, which was done
but it looks like in this case it isn't being respected.

- Bob

On 7/27/2017 11:39 AM, Grayhat wrote:

> :: On Tue, 18 Jul 2017 11:58:09 -0400
> :: <[hidden email]>
> :: "Robert K Coffman Jr. -Info From Data Corp."
> <[hidden email]> wrote:
>
>> https://pastebin.com/NKPYnZsD
>>
>>
>> I have UserAttach set up for huntington.com (see bottom of the paste)
>> but their html attachments are still being blocked.  Why is that?
>
> Jul-18-17 09:58:09 m1-86288-10388 [Worker_1] [TLS-in] [Attachment]
> 170.128.35.52 <[hidden email]> to:
> [hidden email] SPAM FOUND bad attachment
> 'securedoc_20170718T095806.html' cause: 'Java script - possibly locky
> (ransomware) virus'
>
> check out where you defined that "possibly locky..." message and you'll
> find what's blocking the mail
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Attachment from "good" list blocked

Robert K Coffman Jr. -Info From Data Corp.
The code in ASSP_AFC looks like it looks for the :CSC exception and runs
if it doesn't find it - maybe?

I added that exception to the userattach for the affected domain, but it
is still being blocked.  Anyone know if this syntax is right and if the
code is doing what I think it is?

*@huntington.com => good => txt|pdf|htm|html|png|jpg|gif|doc|docx ,
block =>
ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|exe\-bin|:CSC|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|ps1?|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh]

The "locky" message is being logged for these blocks.  The attachments
are html and apparently contain some code that ASSP_AFC doesn't like.

- Bob

On 7/27/2017 1:36 PM, Robert K Coffman Jr. -Info From Data Corp. wrote:

> I didn't define it - it is hardcoded in ASSP_AFC (in my case, 4.55).
> Part of setting up ASSP_AFC is configuring userattach, which was done
> but it looks like in this case it isn't being respected.
>
> - Bob
>
> On 7/27/2017 11:39 AM, Grayhat wrote:
>> :: On Tue, 18 Jul 2017 11:58:09 -0400
>> :: <[hidden email]>
>> :: "Robert K Coffman Jr. -Info From Data Corp."
>> <[hidden email]> wrote:
>>
>>> https://pastebin.com/NKPYnZsD
>>>
>>>
>>> I have UserAttach set up for huntington.com (see bottom of the paste)
>>> but their html attachments are still being blocked.  Why is that?
>>
>> Jul-18-17 09:58:09 m1-86288-10388 [Worker_1] [TLS-in] [Attachment]
>> 170.128.35.52 <[hidden email]> to:
>> [hidden email] SPAM FOUND bad attachment
>> 'securedoc_20170718T095806.html' cause: 'Java script - possibly locky
>> (ransomware) virus'
>>
>> check out where you defined that "possibly locky..." message and you'll
>> find what's blocking the mail
>>
>> ------------------------------------------------------------------------------
>>
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Assp-test mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>>
>
>
> ------------------------------------------------------------------------------
>
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Attachment from "good" list blocked

Thomas Eckardt/eck
 There is no "killswitch" for the locky virus detection.
The only way to detect these viruses is the check for : 'string.prototype.' and 'charAt' in JS code. Both statements should be never used in an email.

If you want those mails to be passed by ASSP_AFC, you need to switch off the 'exe-bin' detection completely for all or specific addresses/domains..

Thomas





Von:        "Robert K Coffman Jr. -Info From Data Corp." <[hidden email]>
An:        [hidden email]
Datum:        28.07.2017 16:23
Betreff:        Re: [Assp-test] Attachment from "good" list blocked




The code in ASSP_AFC looks like it looks for the :CSC exception and runs
if it doesn't find it - maybe?

I added that exception to the userattach for the affected domain, but it
is still being blocked.  Anyone know if this syntax is right and if the
code is doing what I think it is?

*@huntington.com => good => txt|pdf|htm|html|png|jpg|gif|doc|docx ,
block =>
ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|exe\-bin|:CSC|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|ps1?|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh]

The "locky" message is being logged for these blocks.  The attachments
are html and apparently contain some code that ASSP_AFC doesn't like.

- Bob

On 7/27/2017 1:36 PM, Robert K Coffman Jr. -Info From Data Corp. wrote:
> I didn't define it - it is hardcoded in ASSP_AFC (in my case, 4.55).
> Part of setting up ASSP_AFC is configuring userattach, which was done
> but it looks like in this case it isn't being respected.
>
> - Bob
>
> On 7/27/2017 11:39 AM, Grayhat wrote:
>> :: On Tue, 18 Jul 2017 11:58:09 -0400
>> :: <[hidden email]>
>> :: "Robert K Coffman Jr. -Info From Data Corp."
>> <[hidden email]> wrote:
>>
>>>
https://pastebin.com/NKPYnZsD
>>>
>>>
>>> I have UserAttach set up for huntington.com (see bottom of the paste)
>>> but their html attachments are still being blocked.  Why is that?
>>
>> Jul-18-17 09:58:09 m1-86288-10388 [Worker_1] [TLS-in] [Attachment]
>> 170.128.35.52 <[hidden email]> to:
>> [hidden email] SPAM FOUND bad attachment
>> 'securedoc_20170718T095806.html' cause: 'Java script - possibly locky
>> (ransomware) virus'
>>
>> check out where you defined that "possibly locky..." message and you'll
>> find what's blocking the mail
>>
>> ------------------------------------------------------------------------------
>>
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
>> _______________________________________________
>> Assp-test mailing list
>> [hidden email]
>>
https://lists.sourceforge.net/lists/listinfo/assp-test
>>
>>
>
>
> ------------------------------------------------------------------------------
>
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> [hidden email]
>
https://lists.sourceforge.net/lists/listinfo/assp-test
>
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test






DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Attachment from "good" list blocked

Robert K Coffman Jr. -Info From Data Corp.
I had this removed from "block" for these domains, but blocking was
still occurring.

I've added it to "good" and I'll see what happens.

- Bob

On 7/31/2017 4:49 AM, Thomas Eckardt wrote:
>   There is no "killswitch" for the locky virus detection.
> The only way to detect these viruses is the check for :
> 'string.prototype.' and 'charAt' in JS code. Both statements should be
> never used in an email.
>
> If you want those mails to be passed by ASSP_AFC, you need to switch off
> the 'exe-bin' detection completely for all or specific addresses/domains..
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Attachment from "good" list blocked

Thomas Eckardt/eck
>I've added it to "good" and I'll see what happens.

Nothing changes! There is no 'good' check for executable attachments and embedded executable JS code.

I released ASSP_AFC 4.56. It contains such a killswitch (general switch off). It is hidden AND IT IS NONSENSE to use it.

I was the last month involved in the recovery of 4.500 windows servers and 12.000 windows client systems, which were destroyed worldwide (150 locations) in less than 30 minutes and had to be recoverd from backup or new installed from scratch.
NEVER EVER let such code pass your walls.

Thomas





Von:        "Robert K Coffman Jr. -Info From Data Corp." <[hidden email]>
An:        [hidden email]
Datum:        31.07.2017 16:53
Betreff:        Re: [Assp-test] Attachment from "good" list blocked




I had this removed from "block" for these domains, but blocking was
still occurring.

I've added it to "good" and I'll see what happens.

- Bob

On 7/31/2017 4:49 AM, Thomas Eckardt wrote:
>   There is no "killswitch" for the locky virus detection.
> The only way to detect these viruses is the check for :
> 'string.prototype.' and 'charAt' in JS code. Both statements should be
> never used in an email.
>
> If you want those mails to be passed by ASSP_AFC, you need to switch off
> the 'exe-bin' detection completely for all or specific addresses/domains..
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test






DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Attachment from "good" list blocked

Robert K Coffman Jr. -Info From Data Corp.
Thanks Thomas.

I agree with you.  I would remove the killswitch from future versions of
the plugin.

I audited the last month of logs, and I found 11 domains for which this
locky test was triggered.  All of them are financial companies like
banks and mortgage lenders.  I did not find any that appeared to
actually be malicious, although it is possible, but unlikely, that some
may have spoofed the domains in question.  I'd have to audit every
single email to be sure.  One is a major bank, the rest are regional or
even local.  They seem to be using a common (shared, not popular)
mechanism for sending secured emails that involves these html files with
embedded js.

My mail server is small (7700 emails/day) but it seems to me that I
should be seeing this test be triggered for email outside of the course
of normal business, but I am not.

I'm going to try to get samples of these attachments so we can see if
there is a way to fine tune this check.

- Bob



On 7/31/2017 11:09 AM, Thomas Eckardt wrote:
>  >I've added it to "good" and I'll see what happens.
>
> Nothing changes! There is no 'good' check for executable attachments and
> embedded executable JS code.
>
> I released ASSP_AFC 4.56. It contains such a killswitch (general switch
> off). It is hidden AND IT IS NONSENSE to use it.
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Attachment from "good" list blocked

Thomas Eckardt/eck
Follow the link.

https://isc.sans.edu/diary/Locky%3A+JavaScript+Deobfuscation/20749

What assp sees and what is every time the same is the first example. Even the first yellow statement can vary. The statements

string.prototype.

and

charAt

are the both, which are used in all these virus variants

Currently ASSP_AFC uses an 'OR' logic for both statements. This can be changed to a 'AND' logic - but I think, this would not help, because both statements are most times used together.

Thomas







Von:        "Robert K Coffman Jr. -Info From Data Corp." <[hidden email]>
An:        [hidden email]
Datum:        01.08.2017 15:06
Betreff:        Re: [Assp-test] Attachment from "good" list blocked




Thanks Thomas.

I agree with you.  I would remove the killswitch from future versions of
the plugin.

I audited the last month of logs, and I found 11 domains for which this
locky test was triggered.  All of them are financial companies like
banks and mortgage lenders.  I did not find any that appeared to
actually be malicious, although it is possible, but unlikely, that some
may have spoofed the domains in question.  I'd have to audit every
single email to be sure.  One is a major bank, the rest are regional or
even local.  They seem to be using a common (shared, not popular)
mechanism for sending secured emails that involves these html files with
embedded js.

My mail server is small (7700 emails/day) but it seems to me that I
should be seeing this test be triggered for email outside of the course
of normal business, but I am not.

I'm going to try to get samples of these attachments so we can see if
there is a way to fine tune this check.

- Bob



On 7/31/2017 11:09 AM, Thomas Eckardt wrote:
>  >I've added it to "good" and I'll see what happens.
>
> Nothing changes! There is no 'good' check for executable attachments and
> embedded executable JS code.
>
> I released ASSP_AFC 4.56. It contains such a killswitch (general switch
> off). It is hidden AND IT IS NONSENSE to use it.
>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test






DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Loading...