>SPAM FOUND bad attachment 'testfile.html' cause: 'Java script - possibly
locky (ransomware) virus'
If this is detected, there are statements in the JavaScript, that should
not be used in an email.
string.prototype.
and/or
charAt
Both statements are the only two clear readable statements in the
JavaScript versions of the JS-ransomeware viruses. The statements are used
to decrypt (reverse enginiering) the rest of the JavaScript in to an
executable code.
I'm sorry, but I'm not willing to change this.
If you want, you can change the ASSP_AFC.pm.
v4.53 line 1541 (the line content is unchanged since 4.2x, it should be
easy to find in other versions)
from:
} elsif ($$raf =~ /\bstring\.prototype\.|\bcharAt\b/io) { # detect
possibly lucky virus script
to
} elsif ($sk !~ /:CSC/oi && $$raf =~
/\bstring\.prototype\.|\bcharAt\b/io) { # detect possibly lucky virus
script
If the line is changed this way, the ':CSC' switch will exclude this
check. But be warned! The zero day versions of this scripting virus are
hard to detect (even for prof. AV solutions) because of there variable
encryption.
Thomas
Von: "Robert K Coffman Jr. -Info From Data Corp."
<bcoff...@infofromdata.com>
An: assp-test@lists.sourceforge.net
Datum: 24.05.2017 15:17
Betreff: Re: [Assp-test] ASSP_AFC error - URI in PDF
On 5/24/2017 8:47 AM, Thomas Eckardt wrote:>
>.....exe|exe\-bin|:CSC|hlp|ht[ab]|in[fs]|isp.....
I tried many permutations, including that one.
Current:
ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|exe\-bin|:CSC|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|ps1?|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh]
May-24-17 08:53:52 m1-30432-00361 [Worker_1] [TLS-in] 192.168.0.129
<ch...@infofromdata.com> info: found message size announcement: 9.38 MByte
May-24-17 08:53:52 m1-30432-00361 [Worker_1] [TLS-in] 192.168.0.129
<ch...@infofromdata.com> message proxied without processing - message
size (9838045) is above 500000 (npSizeOut).
May-24-17 08:53:52 m1-30432-00361 [Worker_1] [TLS-in] [NoProcessing]
192.168.0.129 <ch...@infofromdata.com> to: bcoff...@infofromdata.com
message proxied without processing (except checks enabled for
noprocessing mails)
May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] 192.168.0.129
<ch...@infofromdata.com> to: bcoff...@infofromdata.com [Plugin] calling
plugin ASSP_AFC
May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] 192.168.0.129
<ch...@infofromdata.com> to: bcoff...@infofromdata.com info: using user
based attachment check
May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] [Attachment]
192.168.0.129 <ch...@infofromdata.com> to: bcoff...@infofromdata.com
SPAM FOUND bad attachment 'testfile.html' cause: 'Java script - possibly
locky (ransomware) virus'
May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] [Attachment]
192.168.0.129 <ch...@infofromdata.com> to: bcoff...@infofromdata.com
SPAM FOUND replaced bad attachment 'testfile.html' cause: 'Java script -
possibly locky (ransomware) virus' with 'testfile.txt'
May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] [Attachment]
192.168.0.129 <ch...@infofromdata.com> to: bcoff...@infofromdata.com
info: 1 attachment found for Level-1
May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] [Attachment]
192.168.0.129 <ch...@infofromdata.com> to: bcoff...@infofromdata.com
message proxied without processing (bad attachment 'testfile.html'
cause: 'Java script - possibly locky (ransomware) virus')
May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] [Attachment]
192.168.0.129 <ch...@infofromdata.com> to: bcoff...@infofromdata.com
file path changed to -> /usr/share/assp/discarded/361--2789192.eml
May-24-17 08:54:49 m1-30432-00361 [Worker_1] [TLS-in] [Attachment]
192.168.0.129 <ch...@infofromdata.com> to: bcoff...@infofromdata.com
[spam found] bad attachment 'testfile.html' cause: 'Java script -
possibly locky (ransomware) virus' [test 6] ->
/usr/share/assp/discarded/361--2789192.eml
Thanks for any help with this.
- Bob
On 5/24/2017 8:47 AM, Thomas Eckardt wrote:
> see the ':CSC' behind 'exe\-bin'
>
> Thomas
>
>
> Von: "Robert K Coffman Jr. -Info From Data Corp."
> <bcoff...@infofromdata.com>
> An: assp-test@lists.sourceforge.net
> Datum: 24.05.2017 14:42
> Betreff: Re: [Assp-test] ASSP_AFC error - URI in PDF
> ------------------------------------------------------------------------
>
>
>
> Thanks Thomas,
>
> I've added that to the default line and these are still blocked.
> Perhaps I'm not modifying the default (which is what I'm using)
correctly.
>
>
ad[ep]|asx|ba[st]|chm|cmd|com|cpl|crt|dbx|exe|exe\-bin|hlp|ht[ab]|in[fs]|isp|js|jse|lnk|md[abez]|mht|ms[cipt]|nch|pcd|pif|prf|ps1?|reg|sc[frt]|sh[bs]|vb|vb[es]|wms|ws[cfh]|':CSC'
>
> -> 'exe-bin|:CSC'
>
> Can anyone help?
>
> - Bob
>
> On 5/24/2017 1:16 AM, Thomas Eckardt wrote:
> > You've defined the 'exe-bin' protection switch. To allow JavaScript
(and
> > any othet scripting language) in emails add '|:CSC' ->
'exe-bin|:CSC'.
> >
>
>
>
------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
>
>
>
>
>
> DISCLAIMER:
> *******************************************************
> This email and any files transmitted with it may be confidential,
> legally privileged and protected in law and are intended solely for the
> use of the
> individual to whom it is addressed.
> This email was multiple times scanned for viruses. There should be no
> known virus in this email!
> *******************************************************
>
>
>
>
------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> Assp-test mailing list
> Assp-test@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/assp-test
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no
known virus in this email!
*******************************************************
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Assp-test mailing list
Assp-test@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/assp-test
