Better Office File Handling Possible / Some excel xlsx files rejecting

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Better Office File Handling Possible / Some excel xlsx files rejecting

K Post
I stumbled on this is the bounce report:
 [spam found] bad attachment 'thefile.xlsx' cause: 'compressed file 'thefile.xlsx' - contains forbidden file c:/assp/tmp/zip_3_1478548021/.10/xl/printerSettings/printerSettings1.bin' [FW Data]

Turns out there's a lot of them.  Sample of one of the macro free xlsx the files is attached hopefully for your review.  If I send this file to myself from the outside, it's stripped.

I know that Exel's xlsx are compressed xml files.   If I open the sample xmlx file in 7zip, I can see the zip structure,  I don't know what Excel is doing, but there is a printerSettings1.bin file in there, I assume for printer settings, but this is causing AFC (I believe) to remove the zip.

In UserAttach I have:
# look in zips for these bad files too      
zip:* => block => exe\-bin|url|ade|adp|asx|bas|bat|dot|dotx|xlt|xlts|bin|chm|cmd|com|cpl|crt|dbx|dll|exe|hlp|hta|htb|inf|ifs|isp|js|jse|lnk|mda|mdb|mde|mdz|mht|msc|msi|msp|mst|nch|pcd|pif|prf|ps1|reg|scf|scr|sct|shb|shs|vb|vbe|vbs|vba|wms|wsc|wsh|rar|dotm|docm|xlsm|pptm

Level 1 is
exe\-bin|url|ade|adp|asx|bas|bat|dot|dotx|xlt|xlts|bin|chm|cmd|com|cpl|crt|dbx|dll|exe|hlp|hta|htb|inf|ifs|isp|js|jse|lnk|mda|mdb|mde|mdz|mht|msc|msi|msp|mst|nch|pcd|pif|prf|ps1|reg|scf|scr|sct|shb|shs|vb|vbe|vbs|vba|wms|wsc|wsh|rar|dotm|docm|xlsm|pptm

and Level 2 is (the same as level 1, but surrounded by () and ending in .zip to catch these types within a zip
(exe\-bin|url|ade|adp|asx|bas|bat|dot|dotx|xlt|xlts|bin|chm|cmd|com|cpl|crt|dbx|dll|exe|hlp|hta|htb|inf|ifs|isp|js|jse|lnk|mda|mdb|mde|mdz|mht|msc|msi|msp|mst|nch|pcd|pif|prf|ps1|reg|scf|scr|sct|shb|shs|vb|vbe|vbs|vba|wms|wsc|wsh|rar|dotm|docm|xlsm|pptm).zip


Obviously, the quick fix is to remove .bin from the UserAttach file, but that would allow zip files containing bin through...  Questions:

1) Is there a better way other than allowing bin files in zips?  It's not like Office documents are unusual files these days.  We have no choice but to deal with them.  Microsoft's decision to make them zip files containing other content could be a good one for us.  

2) Is my Level 2 line necessary with AFC installed or is is redundant?

3) Semi-related: based on the info above, any idea why dll files, including those within a zip, are allowed through?  Shouldn't the exe-bin line catch them and if not, the dll entries?

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Better Office File Handling Possible / Some excel xlsx files rejecting

Thomas Eckardt/eck
From the windows point of view, '.bin' files are innocent. They are registered as 'NoOpen' in HKEY_CLASSES_ROOT per default. An AD-GPO may be used to force this setting or to unregister this extension class. They may blocked as raw attachment, but not in zip files by extension.

 .bin files may be a type of mac executable - but this will be detected by 'exe-bin'.

If you need and want to detect the various .BIN file formats used in MS-Office or elsewhere
http://www.codeproject.com/Articles/15216/Office-bin-file-format
may be a good starting point.


Write regular expressions to detect the types and define them in 'assp/Plugins/file_type.txt'.

Good luck :):)

'exe-bin' will detect the majority of executable code by content - except : cmd , bat , com and obfuscated scripting code of any script language. Those attachments have to be blocked by there file name extension..

Thomas



Von:        K Post <[hidden email]>
An:        ASSP development mailing list <[hidden email]>
Datum:        08.11.2016 16:27
Betreff:        [Assp-test] Better Office File Handling Possible / Some excel xlsx        files rejecting




I stumbled on this is the bounce report:
 [spam found] bad attachment 'thefile.xlsx' cause: 'compressed file 'thefile.xlsx' - contains forbidden file c:/assp/tmp/zip_3_1478548021/.10/xl/printerSettings/printerSettings1.bin' [FW Data]

Turns out there's a lot of them.  Sample of one of the macro free xlsx the files is attached hopefully for your review.  If I send this file to myself from the outside, it's stripped.

I know that Exel's xlsx are compressed xml files.   If I open the sample xmlx file in 7zip, I can see the zip structure,  I don't know what Excel is doing, but there is a printerSettings1.bin file in there, I assume for printer settings, but this is causing AFC (I believe) to remove the zip.

In UserAttach I have:
# look in zips for these bad files too      
zip:* => block => exe\-bin|url|ade|adp|asx|bas|bat|dot|dotx|xlt|xlts|bin|chm|cmd|com|cpl|crt|dbx|dll|exe|hlp|hta|htb|inf|ifs|isp|js|jse|lnk|mda|mdb|mde|mdz|mht|msc|msi|msp|mst|nch|pcd|pif|prf|ps1|reg|scf|scr|sct|shb|shs|vb|vbe|vbs|vba|wms|wsc|wsh|rar|dotm|docm|xlsm|pptm

Level 1 is
exe\-bin|url|ade|adp|asx|bas|bat|dot|dotx|xlt|xlts|bin|chm|cmd|com|cpl|crt|dbx|dll|exe|hlp|hta|htb|inf|ifs|isp|js|jse|lnk|mda|mdb|mde|mdz|mht|msc|msi|msp|mst|nch|pcd|pif|prf|ps1|reg|scf|scr|sct|shb|shs|vb|vbe|vbs|vba|wms|wsc|wsh|rar|dotm|docm|xlsm|pptm

and Level 2 is (the same as level 1, but surrounded by () and ending in .zip to catch these types within a zip
(exe\-bin|url|ade|adp|asx|bas|bat|dot|dotx|xlt|xlts|bin|chm|cmd|com|cpl|crt|dbx|dll|exe|hlp|hta|htb|inf|ifs|isp|js|jse|lnk|mda|mdb|mde|mdz|mht|msc|msi|msp|mst|nch|pcd|pif|prf|ps1|reg|scf|scr|sct|shb|shs|vb|vbe|vbs|vba|wms|wsc|wsh|rar|dotm|docm|xlsm|pptm).zip


Obviously, the quick fix is to remove .bin from the UserAttach file, but that would allow zip files containing bin through...  Questions:

1) Is there a better way other than allowing bin files in zips?  It's not like Office documents are unusual files these days.  We have no choice but to deal with them.  Microsoft's decision to make them zip files containing other content could be a good one for us.  

2) Is my Level 2 line necessary with AFC installed or is is redundant?

3) Semi-related: based on the info above, any idea why dll files, including those within a zip, are allowed through?  Shouldn't the exe-bin line catch them and if not, the dll entries?------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.
http://sdm.link/xeonphi_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test