custom extenson to ASSP_AFC

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

custom extenson to ASSP_AFC

Thomas Eckardt/eck
Plugins/file_types.txt got an update on CVS - RTF file detection is added

ASSP _AFC.pm 4.39 is released on CVS

lib/CorrectASSPcfg.pm got an update on CVS

.........
# use this sub to expand the executable detection of the ASSP_AFC Plugin V
4.39 and higher
#
# INPUT:
# $self - the ASSP_AFC OO object for the mail
# $skip - the possible setting to skip some executable detections
(:WIN,:MSOM,MAC)
# $buff64 - the reference to a sring, that contains the first 64 byte of
the attachment
# $full - the reference to a string, that contains the full attachment
#
# OUTPUT:
# $type - contains an executable description if detected, otherwise it
must be undef
#
#sub AFC_Executable_Detection {
#    my ($self, $skip, $buf64 , $full) = @_;
#    my $type;
#    ...
#    do your stuff here, and set $type to a value, if an executable is
detected - otherwise leave $type at undef
#    for example:
#    $type = 'RTF file' if $skip !~ /:RTF/ && $$buf64 =~ /^\{\\rtf1\\/i;
#    ...
#    return $type;
#}
......

ASSP _AFC.pm 4.39 calls this sub, if it is available (defined). If a type
is returned in $type by this sub, the configured action (block the mail or
replace the MIME part) will be used.
This function can be abused,to detect any dangerous file by its content -
even it is not a direct executable.

for example:

$type = 'MS Office enrypted or password protected document' if ($skip !~
/:ENCDOC/ && $$buf64 =~ /^\xd0\xcf\x11\xe0/ && $$full =~
/\x00E\x00n\x00c\x00r\x00y\x00p\x00t\x00e\x00d\x00P\x00a\x00c\x00k\x00a\x00g\x00e|\x00C\x00r\x00y\x00p\x00t\x00o\x00g\x00r\x00a\x00p\x00h\x00i\x00c/);

The regex to $$buf64 detects a MS-Office document - the later searchs for
UTF16 encoded (EncryptedPackage|Cryptographic) in the complete document

EncryptedPackage - is used in MSO 2007 and newer versions
Cryptographic - is used in older versions of MS-Office

OpenOffice may use different tags!

Thomas


DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the

individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/assp-test