ASSP_OCR only processes text attachments and PDF - no word documents.
Thomas
Is there a way to scan the content of (unencrypted) office documents for
bad content? Seems like the spammers are heading this route.
Macros are not enrypted (at least the statements checked by AFC) and will
be detected.
If not - provide me a download of such a document.
Attached, please find a Word 2016 document (xml format) that has a macro
and is encrypted. Word has me save it as a docm file. If I attach as docm
is it blocked as expected. But if I rename as .doc the message comes
through assp, macro and all.
Password to decrypt this document is "macro"
The ploy here which I see often now is a message saying that the attachment
contains important info about a bill, an account, whatever. Then it says
that the message is encrypted for security and to use password ______ to
open it. If the user falls for it, there's potential that they'll run the
vba / macro too....
In testing, I also found that renamed docm with macro files, even if not
encrypted seem to slip through. Is the AFC plugin possibly not detecting
docm files based on content and only looking at them by extension?
Thanks
Ken
On Tue, Nov 1, 2016 at 9:37 PM, K Post <[email protected]> wrote:
> Missed that we already had AFC to block vba macros. That is in fact
> working great.
>
> However, the new tactic is to send *encrypted* word documents and put the
> password in the email. Those aren't caught, which makes sense - AFC can't
> read the file to tell that there's a macro! Can AFC be modified to block
> for encrypted office documents?
>
>
> On Thu, Oct 27, 2016 at 10:19 PM, K Post <[email protected]> wrote:
>
>> With more and more and more attached files slipping through ClamAV's
>> hands, and the majority of these being either encrypted MS Office documents
>> or zero day-ish Word documents with VBA embedded, I'm wondering if ASSP_AFC
>> could be modified to optionally reject/strip/score messages that are either:
>> 1) Encrypted MS Office documents and/or
>> 2) MS Office documents that contain VBA code.
>>
>> Related, detect PDF files with Javascript or Flash embedded??
>>
>> (and Thomas, if you're replying to this, could you also cc me directly so
>> that I get the reply - gmail is rejecting your DKIM messages that pass
>> through SourceForge without SRS)
>>
>> THANKS
>>
>>
>
------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today. http://sdm.link/xeonphi
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
