Blocking encrypted and/or VBA embedded MS Office Docs

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Blocking encrypted and/or VBA embedded MS Office Docs

K Post
With more and more and more attached files slipping through ClamAV's hands, and the majority of these being either encrypted MS Office documents or zero day-ish Word documents with VBA embedded, I'm wondering if ASSP_AFC could be modified to optionally reject/strip/score messages that are either:
1) Encrypted MS Office documents and/or
2) MS Office documents that contain VBA code.

Related, detect PDF files with Javascript or Flash embedded??

(and Thomas, if you're replying to this, could you also cc me directly so that I get the reply - gmail is rejecting your DKIM messages that pass through SourceForge without SRS)

THANKS


------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Blocking encrypted and/or VBA embedded MS Office Docs

Thomas Eckardt/eck
Simply configure ASSP and ASSP_AFC to detect and block MS Office documents with macros.

Thomas





Von:        K Post <[hidden email]>
An:        ASSP development mailing list <[hidden email]>
Datum:        28.10.2016 04:20
Betreff:        [Assp-test] Blocking encrypted and/or VBA embedded MS Office Docs




With more and more and more attached files slipping through ClamAV's hands, and the majority of these being either encrypted MS Office documents or zero day-ish Word documents with VBA embedded, I'm wondering if ASSP_AFC could be modified to optionally reject/strip/score messages that are either:
1) Encrypted MS Office documents and/or
2) MS Office documents that contain VBA code.

Related, detect PDF files with Javascript or Flash embedded??

(and Thomas, if you're replying to this, could you also cc me directly so that I get the reply - gmail is rejecting your DKIM messages that pass through SourceForge without SRS)

THANKS
------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
The Command Line: Reinvented for Modern Developers
Did the resurgence of CLI tooling catch you by surprise?
Reconnect with the command line and become more productive.
Learn the new .NET and ASP.NET CLI. Get your free copy!
http://sdm.link/telerik
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Blocking encrypted and/or VBA embedded MS Office Docs

K Post
In reply to this post by K Post
Missed that we already had AFC to block vba macros.  That is in fact working great.

However, the new tactic is to send encrypted word documents and put the password in the email.  Those aren't caught, which makes sense - AFC can't read the file to tell that there's a macro!  Can AFC be modified to block for encrypted office documents?


On Thu, Oct 27, 2016 at 10:19 PM, K Post <[hidden email]> wrote:
With more and more and more attached files slipping through ClamAV's hands, and the majority of these being either encrypted MS Office documents or zero day-ish Word documents with VBA embedded, I'm wondering if ASSP_AFC could be modified to optionally reject/strip/score messages that are either:
1) Encrypted MS Office documents and/or
2) MS Office documents that contain VBA code.

Related, detect PDF files with Javascript or Flash embedded??

(and Thomas, if you're replying to this, could you also cc me directly so that I get the reply - gmail is rejecting your DKIM messages that pass through SourceForge without SRS)

THANKS



------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Blocking encrypted and/or VBA embedded MS Office Docs

Thomas Eckardt/eck
>Can AFC be modified to block for encrypted office documents?

Macros are not enrypted (at least the statements checked by AFC) and will be detected.
If not - provide me a download of such a document.

Thomas





Von:        K Post <[hidden email]>
An:        ASSP development mailing list <[hidden email]>
Datum:        02.11.2016 02:51
Betreff:        Re: [Assp-test] Blocking encrypted and/or VBA embedded MS Office        Docs




Missed that we already had AFC to block vba macros.  That is in fact working great.

However, the new tactic is to send encrypted word documents and put the password in the email.  Those aren't caught, which makes sense - AFC can't read the file to tell that there's a macro!  Can AFC be modified to block for encrypted office documents?


On Thu, Oct 27, 2016 at 10:19 PM, K Post <nntp.post@...> wrote:
With more and more and more attached files slipping through ClamAV's hands, and the majority of these being either encrypted MS Office documents or zero day-ish Word documents with VBA embedded, I'm wondering if ASSP_AFC could be modified to optionally reject/strip/score messages that are either:
1) Encrypted MS Office documents and/or
2) MS Office documents that contain VBA code.

Related, detect PDF files with Javascript or Flash embedded??

(and Thomas, if you're replying to this, could you also cc me directly so that I get the reply - gmail is rejecting your DKIM messages that pass through SourceForge without SRS)

THANKS

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.
http://sdm.link/xeonphi_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Blocking encrypted and/or VBA embedded MS Office Docs

K Post
In reply to this post by K Post
ASSP_OCR only processes text attachments and PDF - no word documents.

Thomas

Is there a way to scan the content of (unencrypted) office documents for bad content?  Seems like the spammers are heading this route.  

Macros are not enrypted (at least the statements checked by AFC) and will 
be detected.
If not - provide me a download of such a document.
Attached, please find a Word 2016 document (xml format) that has a macro and is encrypted.  Word has me save it as a docm file.  If I attach as docm is it blocked as expected.  But if I rename as .doc the message comes through assp, macro and all.   

Password to decrypt this document is "macro"

The ploy here which I see often now is a message saying that the attachment contains important info about a bill, an account, whatever. Then it says that the message is encrypted for security and to use password ______ to open it.  If the user falls for it, there's potential that they'll run the vba / macro too....


In testing, I also found that renamed docm with macro files, even if not encrypted seem to slip through.  Is the AFC plugin possibly not detecting docm files based on content and only looking at them by extension?

Thanks
Ken




On Tue, Nov 1, 2016 at 9:37 PM, K Post <[hidden email]> wrote:
Missed that we already had AFC to block vba macros.  That is in fact working great.

However, the new tactic is to send encrypted word documents and put the password in the email.  Those aren't caught, which makes sense - AFC can't read the file to tell that there's a macro!  Can AFC be modified to block for encrypted office documents?


On Thu, Oct 27, 2016 at 10:19 PM, K Post <[hidden email]> wrote:
With more and more and more attached files slipping through ClamAV's hands, and the majority of these being either encrypted MS Office documents or zero day-ish Word documents with VBA embedded, I'm wondering if ASSP_AFC could be modified to optionally reject/strip/score messages that are either:
1) Encrypted MS Office documents and/or
2) MS Office documents that contain VBA code.

Related, detect PDF files with Javascript or Flash embedded??

(and Thomas, if you're replying to this, could you also cc me directly so that I get the reply - gmail is rejecting your DKIM messages that pass through SourceForge without SRS)

THANKS




------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Blocking encrypted and/or VBA embedded MS Office Docs

Thomas Eckardt/eck
>even if not encrypted seem to slip through.

NO!

I don't want to explain this again and again and again.

ASSP_AFC uses a MIME-type based content detection.

Thomas





Von:        K Post <[hidden email]>
An:        ASSP development mailing list <[hidden email]>
Datum:        02.11.2016 17:28
Betreff:        Re: [Assp-test] Blocking encrypted and/or VBA embedded MS Office        Docs




ASSP_OCR only processes text attachments and PDF - no word documents.

Thomas


Is there a way to scan the content of (unencrypted) office documents for bad content?  Seems like the spammers are heading this route.  

Macros are not enrypted (at least the statements checked by AFC) and will
be detected.
If not - provide me a download of such a document.

Attached, please find a Word 2016 document (xml format) that has a macro and is encrypted.  Word has me save it as a docm file.  If I attach as docm is it blocked as expected.  But if I rename as .doc the message comes through assp, macro and all.   

Password to decrypt this document is "macro"

The ploy here which I see often now is a message saying that the attachment contains important info about a bill, an account, whatever. Then it says that the message is encrypted for security and to use password ______ to open it.  If the user falls for it, there's potential that they'll run the vba / macro too....


In testing, I also found that renamed docm with macro files, even if not encrypted seem to slip through.  Is the AFC plugin possibly not detecting docm files based on content and only looking at them by extension?

Thanks
Ken




On Tue, Nov 1, 2016 at 9:37 PM, K Post <nntp.post@...> wrote:
Missed that we already had AFC to block vba macros.  That is in fact working great.

However, the new tactic is to send encrypted word documents and put the password in the email.  Those aren't caught, which makes sense - AFC can't read the file to tell that there's a macro!  Can AFC be modified to block for encrypted office documents?


On Thu, Oct 27, 2016 at 10:19 PM, K Post <nntp.post@...> wrote:
With more and more and more attached files slipping through ClamAV's hands, and the majority of these being either encrypted MS Office documents or zero day-ish Word documents with VBA embedded, I'm wondering if ASSP_AFC could be modified to optionally reject/strip/score messages that are either:
1) Encrypted MS Office documents and/or
2) MS Office documents that contain VBA code.

Related, detect PDF files with Javascript or Flash embedded??

(and Thomas, if you're replying to this, could you also cc me directly so that I get the reply - gmail is rejecting your DKIM messages that pass through SourceForge without SRS)

THANKS


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.
http://sdm.link/xeonphi_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Blocking encrypted and/or VBA embedded MS Office Docs

K Post
I'm sorry that you're getting frustrated again with me, but maybe I'm not being clear?  I know that AFC doesn't use the file extension to detect the mime type.  My point is that it's not the newer (2007 I think) word with macro format - docm.

My tests are showing that with exe-bin in Level 1 (which should detect and reject VBA macros in office files) that docm (m on the end, meaning its a newer format Word with macro file) slip through ASSP.   I had previously had docm under Level 1 too and found that renamed docm files came through.  After removing docm as a test, I found that you don't even need to rename them.

It's as if AFC isn't detecting macros in the newer Word formats.  If I have macros in .doc files (Word 2003 and earlier) they ARE detected, encrypted or not!

I know how much you despise Office products, so I attached a sample docm file for your reference.

And last, and only semi-related, can we get an option in AFC to also reject encrypted office documents (even without macros)?  I know macros will be caught even in encrypted word 2003 and older documents, but it seems like spammers are trying to slip through spam content and phishing attempts using encrypted Office docs now too...   I wish we could just block Office documents altogether, but that would all but put this charity out of business.


On Wed, Nov 2, 2016 at 4:48 PM, Thomas Eckardt <[hidden email]> wrote:
>even if not encrypted seem to slip through.

NO!

I don't want to explain this again and again and again.

ASSP_AFC uses a MIME-type based content detection.

Thomas





Von:        K Post <[hidden email]>
An:        ASSP development mailing list <[hidden email]>
Datum:        02.11.2016 17:28
Betreff:        Re: [Assp-test] Blocking encrypted and/or VBA embedded MS Office        Docs




ASSP_OCR only processes text attachments and PDF - no word documents.

Thomas


Is there a way to scan the content of (unencrypted) office documents for bad content?  Seems like the spammers are heading this route.  

Macros are not enrypted (at least the statements checked by AFC) and will
be detected.
If not - provide me a download of such a document.

Attached, please find a Word 2016 document (xml format) that has a macro and is encrypted.  Word has me save it as a docm file.  If I attach as docm is it blocked as expected.  But if I rename as .doc the message comes through assp, macro and all.   

Password to decrypt this document is "macro"

The ploy here which I see often now is a message saying that the attachment contains important info about a bill, an account, whatever. Then it says that the message is encrypted for security and to use password ______ to open it.  If the user falls for it, there's potential that they'll run the vba / macro too....


In testing, I also found that renamed docm with macro files, even if not encrypted seem to slip through.  Is the AFC plugin possibly not detecting docm files based on content and only looking at them by extension?

Thanks
Ken




On Tue, Nov 1, 2016 at 9:37 PM, K Post <[hidden email]> wrote:
Missed that we already had AFC to block vba macros.  That is in fact working great.

However, the new tactic is to send encrypted word documents and put the password in the email.  Those aren't caught, which makes sense - AFC can't read the file to tell that there's a macro!  Can AFC be modified to block for encrypted office documents?


On Thu, Oct 27, 2016 at 10:19 PM, K Post <[hidden email]> wrote:
With more and more and more attached files slipping through ClamAV's hands, and the majority of these being either encrypted MS Office documents or zero day-ish Word documents with VBA embedded, I'm wondering if ASSP_AFC could be modified to optionally reject/strip/score messages that are either:
1) Encrypted MS Office documents and/or
2) MS Office documents that contain VBA code.

Related, detect PDF files with Javascript or Flash embedded??

(and Thomas, if you're replying to this, could you also cc me directly so that I get the reply - gmail is rejecting your DKIM messages that pass through SourceForge without SRS)

THANKS


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.
http://sdm.link/xeonphi_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test



------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Blocking encrypted and/or VBA embedded MS Office Docs

Thomas Eckardt/eck
Here is no attachment!
macros in.docm  are detected
 tested are all office versions up to 2013 with ALL possible document formats.

All XML versions are compressed files - so the ZIP: entry has to be used.

Thomas





Von:        K Post <[hidden email]>
An:        ASSP development mailing list <[hidden email]>
Datum:        03.11.2016 20:36
Betreff:        Re: [Assp-test] Blocking encrypted and/or VBA embedded MS Office        Docs




I'm sorry that you're getting frustrated again with me, but maybe I'm not being clear?  I know that AFC doesn't use the file extension to detect the mime type.  My point is that it's not the newer (2007 I think) word with macro format - docm.

My tests are showing that with exe-bin in Level 1 (which should detect and reject VBA macros in office files) that docm (m on the end, meaning its a newer format Word with macro file) slip through ASSP.   I had previously had docm under Level 1 too and found that renamed docm files came through.  After removing docm as a test, I found that you don't even need to rename them.

It's as if AFC isn't detecting macros in the newer Word formats.  If I have macros in .doc files (Word 2003 and earlier) they ARE detected, encrypted or not!

I know how much you despise Office products, so I attached a sample docm file for your reference.

And last, and only semi-related, can we get an option in AFC to also reject encrypted office documents (even without macros)?  I know macros will be caught even in encrypted word 2003 and older documents, but it seems like spammers are trying to slip through spam content and phishing attempts using encrypted Office docs now too...   I wish we could just block Office documents altogether, but that would all but put this charity out of business.


On Wed, Nov 2, 2016 at 4:48 PM, Thomas Eckardt <Thomas.Eckardt@...> wrote:
>even if not encrypted seem to slip through.

NO!


I don't want to explain this again and again and again.


ASSP_AFC uses a MIME-type based content detection.


Thomas





Von:        
K Post <nntp.post@...>
An:        
ASSP development mailing list <[hidden email]>
Datum:        
02.11.2016 17:28
Betreff:        
Re: [Assp-test] Blocking encrypted and/or VBA embedded MS Office        Docs





ASSP_OCR only processes text attachments and PDF - no word documents.

Thomas


Is there a way to scan the content of (unencrypted) office documents for bad content?  Seems like the spammers are heading this route.  

Macros are not enrypted (at least the statements checked by AFC) and will
be detected.
If not - provide me a download of such a document.


Attached, please find a Word 2016 document (xml format) that has a macro and is encrypted.  Word has me save it as a docm file.  If I attach as docm is it blocked as expected.  But if I rename as .doc the message comes through assp, macro and all.   

Password to decrypt this document is "macro"

The ploy here which I see often now is a message saying that the attachment contains important info about a bill, an account, whatever. Then it says that the message is encrypted for security and to use password ______ to open it.  If the user falls for it, there's potential that they'll run the vba / macro too....


In testing, I also found that renamed docm with macro files, even if not encrypted seem to slip through.  Is the AFC plugin possibly not detecting docm files based on content and only looking at them by extension?

Thanks
Ken




On Tue, Nov 1, 2016 at 9:37 PM, K Post <
nntp.post@...> wrote:
Missed that we already had AFC to block vba macros.  That is in fact working great.

However, the new tactic is to send encrypted word documents and put the password in the email.  Those aren't caught, which makes sense - AFC can't read the file to tell that there's a macro!  Can AFC be modified to block for encrypted office documents?


On Thu, Oct 27, 2016 at 10:19 PM, K Post <
nntp.post@...> wrote:
With more and more and more attached files slipping through ClamAV's hands, and the majority of these being either encrypted MS Office documents or zero day-ish Word documents with VBA embedded, I'm wondering if ASSP_AFC could be modified to optionally reject/strip/score messages that are either:
1) Encrypted MS Office documents and/or
2) MS Office documents that contain VBA code.

Related, detect PDF files with Javascript or Flash embedded??

(and Thomas, if you're replying to this, could you also cc me directly so that I get the reply - gmail is rejecting your DKIM messages that pass through SourceForge without SRS)

THANKS


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.
http://sdm.link/xeonphi_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.
http://sdm.link/xeonphi
_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.
http://sdm.link/xeonphi_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Blocking encrypted and/or VBA embedded MS Office Docs

K Post
I think you've found the problem with my setup then!!  Thank you for sticking with me.
----All XML versions are compressed files - so the ZIP: entry has to be used. 
I knew that the newer office documents are XML and compressed, but I didn't know that ASSP wasn't detecting them without specifically being told to in UserAttach.  The gui talks about blocking ms office vba with exe-bin, and I assumed that applied to all office documents, not just those from 2007 or older.    Am I understanding you correctly?

(I also assume that my docm file wasn't just rejected from your email server because you have docm in Level 1 or something?  -- that's how I was previously blocking these files, not with the mime detection, just straight file extension matching).

I'm also worried that despite having exe\-bin and DLL in level one, that if I send myself a standard windows dll file, it comes through.    I wonder if this could be something with the Windows perl libraries not working, me not understanding, or another misconfiguration.

Would you mind terribly posting what your zip: line that's applied to general users looks like from UserAttach or some more examples?  I'm thinking something like:
zip:*@* => block => [[ exactly what I currently have in Level 1 ]]
Does that make sense or am I off base?

Another question
We have one user who has to be able to send encrypted zip files out, we currently have this line in UserAttach:
[hidden email] => good-out => *|crypt\-zip

If I add the zip: line that block in and out my level 1/2 setting for *@*, how does that combine with the line for Lisa directly above.  I read that it uses OR logic, but how does 
For everyone, block zips that contain any level 1 blocked file including exe content, block encrypted zips for all, OR allow any outbound zip including encrypted ones for Lisa only
actually work?   ASSP is being told to block zips with exe content OR allow exe zips for Lisa.  Block always wins right?  If that's the case, how could we block all this bad stuff, block encrypted zips, but allow them for Lisa only??


Thanks again.




On Thu, Nov 3, 2016 at 5:29 PM, Thomas Eckardt <[hidden email]> wrote:
Here is no attachment!
macros in.docm  are detected
 tested are all office versions up to 2013 with ALL possible document formats.

All XML versions are compressed files - so the ZIP: entry has to be used.

Thomas





Von:        K Post <[hidden email]>
An:        ASSP development mailing list <[hidden email]>
Datum:        03.11.2016 20:36
Betreff:        Re: [Assp-test] Blocking encrypted and/or VBA embedded MS Office        Docs




I'm sorry that you're getting frustrated again with me, but maybe I'm not being clear?  I know that AFC doesn't use the file extension to detect the mime type.  My point is that it's not the newer (2007 I think) word with macro format - docm.

My tests are showing that with exe-bin in Level 1 (which should detect and reject VBA macros in office files) that docm (m on the end, meaning its a newer format Word with macro file) slip through ASSP.   I had previously had docm under Level 1 too and found that renamed docm files came through.  After removing docm as a test, I found that you don't even need to rename them.

It's as if AFC isn't detecting macros in the newer Word formats.  If I have macros in .doc files (Word 2003 and earlier) they ARE detected, encrypted or not!

I know how much you despise Office products, so I attached a sample docm file for your reference.

And last, and only semi-related, can we get an option in AFC to also reject encrypted office documents (even without macros)?  I know macros will be caught even in encrypted word 2003 and older documents, but it seems like spammers are trying to slip through spam content and phishing attempts using encrypted Office docs now too...   I wish we could just block Office documents altogether, but that would all but put this charity out of business.


On Wed, Nov 2, 2016 at 4:48 PM, Thomas Eckardt <[hidden email]> wrote:
>even if not encrypted seem to slip through.

NO!


I don't want to explain this again and again and again.


ASSP_AFC uses a MIME-type based content detection.


Thomas





Von:        
K Post <[hidden email]>
An:        
ASSP development mailing list <[hidden email]>
Datum:        
02.11.2016 17:28
Betreff:        
Re: [Assp-test] Blocking encrypted and/or VBA embedded MS Office        Docs





ASSP_OCR only processes text attachments and PDF - no word documents.

Thomas


Is there a way to scan the content of (unencrypted) office documents for bad content?  Seems like the spammers are heading this route.  

Macros are not enrypted (at least the statements checked by AFC) and will
be detected.
If not - provide me a download of such a document.


Attached, please find a Word 2016 document (xml format) that has a macro and is encrypted.  Word has me save it as a docm file.  If I attach as docm is it blocked as expected.  But if I rename as .doc the message comes through assp, macro and all.   

Password to decrypt this document is "macro"

The ploy here which I see often now is a message saying that the attachment contains important info about a bill, an account, whatever. Then it says that the message is encrypted for security and to use password ______ to open it.  If the user falls for it, there's potential that they'll run the vba / macro too....


In testing, I also found that renamed docm with macro files, even if not encrypted seem to slip through.  Is the AFC plugin possibly not detecting docm files based on content and only looking at them by extension?

Thanks
Ken




On Tue, Nov 1, 2016 at 9:37 PM, K Post <
[hidden email]> wrote:
Missed that we already had AFC to block vba macros.  That is in fact working great.

However, the new tactic is to send encrypted word documents and put the password in the email.  Those aren't caught, which makes sense - AFC can't read the file to tell that there's a macro!  Can AFC be modified to block for encrypted office documents?


On Thu, Oct 27, 2016 at 10:19 PM, K Post <
[hidden email]> wrote:
With more and more and more attached files slipping through ClamAV's hands, and the majority of these being either encrypted MS Office documents or zero day-ish Word documents with VBA embedded, I'm wondering if ASSP_AFC could be modified to optionally reject/strip/score messages that are either:
1) Encrypted MS Office documents and/or
2) MS Office documents that contain VBA code.

Related, detect PDF files with Javascript or Flash embedded??

(and Thomas, if you're replying to this, could you also cc me directly so that I get the reply - gmail is rejecting your DKIM messages that pass through SourceForge without SRS)

THANKS


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.
http://sdm.link/xeonphi_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.
http://sdm.link/xeonphi
_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.
http://sdm.link/xeonphi_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test



------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test
Reply | Threaded
Open this post in threaded view
|

Re: Blocking encrypted and/or VBA embedded MS Office Docs

K Post
circling back on this.  Please advise.

On Thu, Nov 3, 2016 at 8:50 PM, K Post <[hidden email]> wrote:
I think you've found the problem with my setup then!!  Thank you for sticking with me.
----All XML versions are compressed files - so the ZIP: entry has to be used. 
I knew that the newer office documents are XML and compressed, but I didn't know that ASSP wasn't detecting them without specifically being told to in UserAttach.  The gui talks about blocking ms office vba with exe-bin, and I assumed that applied to all office documents, not just those from 2007 or older.    Am I understanding you correctly?

(I also assume that my docm file wasn't just rejected from your email server because you have docm in Level 1 or something?  -- that's how I was previously blocking these files, not with the mime detection, just straight file extension matching).

I'm also worried that despite having exe\-bin and DLL in level one, that if I send myself a standard windows dll file, it comes through.    I wonder if this could be something with the Windows perl libraries not working, me not understanding, or another misconfiguration.

Would you mind terribly posting what your zip: line that's applied to general users looks like from UserAttach or some more examples?  I'm thinking something like:
zip:*@* => block => [[ exactly what I currently have in Level 1 ]]
Does that make sense or am I off base?

Another question
We have one user who has to be able to send encrypted zip files out, we currently have this line in UserAttach:
[hidden email] => good-out => *|crypt\-zip

If I add the zip: line that block in and out my level 1/2 setting for *@*, how does that combine with the line for Lisa directly above.  I read that it uses OR logic, but how does 
For everyone, block zips that contain any level 1 blocked file including exe content, block encrypted zips for all, OR allow any outbound zip including encrypted ones for Lisa only
actually work?   ASSP is being told to block zips with exe content OR allow exe zips for Lisa.  Block always wins right?  If that's the case, how could we block all this bad stuff, block encrypted zips, but allow them for Lisa only??


Thanks again.




On Thu, Nov 3, 2016 at 5:29 PM, Thomas Eckardt <[hidden email]> wrote:
Here is no attachment!
macros in.docm  are detected
 tested are all office versions up to 2013 with ALL possible document formats.

All XML versions are compressed files - so the ZIP: entry has to be used.

Thomas





Von:        K Post <[hidden email]>
An:        ASSP development mailing list <[hidden email]>
Datum:        03.11.2016 20:36
Betreff:        Re: [Assp-test] Blocking encrypted and/or VBA embedded MS Office        Docs




I'm sorry that you're getting frustrated again with me, but maybe I'm not being clear?  I know that AFC doesn't use the file extension to detect the mime type.  My point is that it's not the newer (2007 I think) word with macro format - docm.

My tests are showing that with exe-bin in Level 1 (which should detect and reject VBA macros in office files) that docm (m on the end, meaning its a newer format Word with macro file) slip through ASSP.   I had previously had docm under Level 1 too and found that renamed docm files came through.  After removing docm as a test, I found that you don't even need to rename them.

It's as if AFC isn't detecting macros in the newer Word formats.  If I have macros in .doc files (Word 2003 and earlier) they ARE detected, encrypted or not!

I know how much you despise Office products, so I attached a sample docm file for your reference.

And last, and only semi-related, can we get an option in AFC to also reject encrypted office documents (even without macros)?  I know macros will be caught even in encrypted word 2003 and older documents, but it seems like spammers are trying to slip through spam content and phishing attempts using encrypted Office docs now too...   I wish we could just block Office documents altogether, but that would all but put this charity out of business.


On Wed, Nov 2, 2016 at 4:48 PM, Thomas Eckardt <[hidden email]> wrote:
>even if not encrypted seem to slip through.

NO!


I don't want to explain this again and again and again.


ASSP_AFC uses a MIME-type based content detection.


Thomas





Von:        
K Post <[hidden email]>
An:        
ASSP development mailing list <[hidden email]>
Datum:        
02.11.2016 17:28
Betreff:        
Re: [Assp-test] Blocking encrypted and/or VBA embedded MS Office        Docs





ASSP_OCR only processes text attachments and PDF - no word documents.

Thomas


Is there a way to scan the content of (unencrypted) office documents for bad content?  Seems like the spammers are heading this route.  

Macros are not enrypted (at least the statements checked by AFC) and will
be detected.
If not - provide me a download of such a document.


Attached, please find a Word 2016 document (xml format) that has a macro and is encrypted.  Word has me save it as a docm file.  If I attach as docm is it blocked as expected.  But if I rename as .doc the message comes through assp, macro and all.   

Password to decrypt this document is "macro"

The ploy here which I see often now is a message saying that the attachment contains important info about a bill, an account, whatever. Then it says that the message is encrypted for security and to use password ______ to open it.  If the user falls for it, there's potential that they'll run the vba / macro too....


In testing, I also found that renamed docm with macro files, even if not encrypted seem to slip through.  Is the AFC plugin possibly not detecting docm files based on content and only looking at them by extension?

Thanks
Ken




On Tue, Nov 1, 2016 at 9:37 PM, K Post <
[hidden email]> wrote:
Missed that we already had AFC to block vba macros.  That is in fact working great.

However, the new tactic is to send encrypted word documents and put the password in the email.  Those aren't caught, which makes sense - AFC can't read the file to tell that there's a macro!  Can AFC be modified to block for encrypted office documents?


On Thu, Oct 27, 2016 at 10:19 PM, K Post <
[hidden email]> wrote:
With more and more and more attached files slipping through ClamAV's hands, and the majority of these being either encrypted MS Office documents or zero day-ish Word documents with VBA embedded, I'm wondering if ASSP_AFC could be modified to optionally reject/strip/score messages that are either:
1) Encrypted MS Office documents and/or
2) MS Office documents that contain VBA code.

Related, detect PDF files with Javascript or Flash embedded??

(and Thomas, if you're replying to this, could you also cc me directly so that I get the reply - gmail is rejecting your DKIM messages that pass through SourceForge without SRS)

THANKS


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.
http://sdm.link/xeonphi_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.
http://sdm.link/xeonphi
_______________________________________________
Assp-test mailing list

[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.
http://sdm.link/xeonphi_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test




------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test