published ASSP_AFC 4.50
example results from the analyzer:
• URIBL check: 'OK'
• † • SuspiciousVirus:
Sanesecurity.Malware.26947.PdfHeur.DocmJS.UNOFFICIAL 'UNOFFICIAL'
• attachment Invoice 07853327 05/17/2017.PDF is an executable
• Not a Valid Format of HELO: '[42.113.108.55]'
the following additionally exception switches are implemented:
:PDF - adobe PDF file with embedded executable code or microsoft office
macros files, JavaScript and bad URIs (NOT recommended to be used, false
positives are expected)
:CERTPDF - certificate signed adobe PDF file
:JSPDF - adobe PDF file with JavaScript inside - notice: well known
malicious JavaScript combinations will be blocked, even this option is
defined
:URIPDF - adobe PDF file with URIs to download exeutables from the web or
to open local files
Thomas
Von: Thomas Eckardt <thomas.ecka...@thockar.com>
An: ASSP development mailing list <assp-test@lists.sourceforge.net>
Datum: 20.05.2017 07:17
Betreff: Re: [Assp-test] updated ASSP_AFC Plugin
ASSP_AFC 4.48 was too weak
ASSP_AFC 4.49 is possibly too strict, but very safe - it allows to use the
':PDF' switch
I'm just looking for a way to prevent false positives.
Thomas
Von: K Post <nntp.p...@gmail.com>
An: ASSP development mailing list <assp-test@lists.sourceforge.net>
Datum: 19.05.2017 16:28
Betreff: Re: [Assp-test] updated ASSP_AFC Plugin
Here's a sample PDF with javascript that runs at startup (populates a
field with the current date).
On Fri, May 19, 2017 at 10:16 AM, K Post <nntp.p...@gmail.com> wrote:
I tested with this new plugin installed and exe-bin blocking. This plugin
now blocks all pdf's that have javascript embedded right? That's not what
I experienced.
I created a simple pdf with a button. That button's action was to run
javascript to print the document. I emailed it to myself from gmail. It
was received, not blocked.
Am I missing something?
On Fri, May 19, 2017 at 9:48 AM, K Post <nntp.p...@gmail.com> wrote:
Thanks for this!!!
On Thu, May 18, 2017 at 10:22 AM, Thomas Eckardt <
thomas.ecka...@thockar.com> wrote:
Hi all,
I've just published ASSP_AFC.pm version 4.48 at SF-CVS.
This version contains an extension to detect embedded executable code in
real PDF files, if 'exe-bin' files are not allowed in the assp
configuration.
Currently detected are:
- java script - most times this is requred by the virus to open and run
any other embedded code
- ms office macros
- exe and com files
- wsh files
This extension is hard coded. There is no way to make an exception to
(e.g) :PDF - like for :ELF, :CSC :MSOM ...... - because such files
are every time malicious!
Currently it seems, that another ransomware attack is starting in
preparation for the weekend! Distributed are such real PDF files per
email!
I don't think that there will be a stupid 'killswitch' in the new viruses
to save the world.
I just saw that ClamAV (sanesecurity signatures) detected most of them -
they all are classified as UNOFFICIAL !!!!.
Thomas
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
