> Executables should be blocked in order to minimize the attack surface
> but most of the droppers are embedded in office documents or pdf files.
> They rely of features of these file formats that are quite rarely
> used in legit documents: process execution, filesystem access,
> internet access, embedded ole objects.
> in documents with active content that performs the operations I described
> earlier, the active part is removed and a harmless document is delivered
> (pdf without javascript, for example).
Do you know an open-source command-line tool for Unix/Linux
(besides SpamAssassin and ClamAV - they eat too much RAM for my small VPS)
able to detect javascript in a .pdf file?
Or may be `grep` is enough?
What I use in Exim:
P7ZIP = /usr/local/bin/7z
# port archivers/p7zip in case of FreeBSD
GREP = /usr/bin/grep
SHELL = /bin/sh
BINFORBIDDEN = Windows-executable attachments forbidden
WINBIN = exe|com|js|pif|scr|bat|jse|cpl|vbe|vbs|ace
# more cautious:
exe|com|js|pif|scr|bat|flv|reg|btm|chm|cmd|cpl|dat|dll|hta|jse|jsp|lnk|msi|prf|sys|vb|vbe|vbs|ace
# Perhaps "jar" should be added.
# WinRAR can uncompress .ace, so trojans are sometimes compressed .ace
COMPREXT = zip|rar|7z|arj|bz2|gz|uue|xz|z
check_rfc2047_length = false
acl_smtp_mime = acl_check_mime
begin acl
acl_check_mime:
deny message = BINFORBIDDEN
log_message = forbidden attachment: filename=$mime_filename, \
content-type=$mime_content_type, recipients=$recipients
condition = ${if or{\
{match{$mime_content_type}\
{(?i)executable|application/x-ace-compressed}}\
{match{$mime_filename}{\N(?i)\.(WINBIN)(\.(COMPREXT))*$\N}}\
}}
deny message = Compressed BINFORBIDDEN
condition = ${if or{\
{match{$mime_content_type}{(?i)application/\
(octet-stream|x(-zip)?-compressed|zip)}}\
{match{$mime_filename}{\N(?i)\.(COMPREXT)$\N}}\
}}
condition = ${if <{$message_size}{1500K}}
decode = default
log_message = forbidden binary in attachment: filename=$mime_filename, \
recipients=$recipients
condition = ${if match{${run{P7ZIP l -y $mime_decoded_filename}}}\
{\N(?i)\n[12].+\.(COMPREXT|WINBIN)\n\N}}
deny message = Windows-executable inside an Office file attachment
condition = ${if or{\
{match{$mime_content_type}{(?i)openxmlformats-officedocument}}\
{match{$mime_filename}{\N(?i)\.(doc|xls|ppt)(x|m)$\N}}\
}}
decode = default
log_message = forbidden binary in Office file attachment: \
filename=$mime_filename, recipients=$recipients
set acl_m_ud = ${sg{$mime_decoded_filename}{[^/]+\$}{}}
condition = ${run{SHELL -c \
"cd $acl_m_ud; \
P7ZIP x -y $mime_decoded_filename; \
GREP -r -a -s -E \
'rundll32|This program cannot be run in DOS mode|\
This program must be run under|Embedded Object|\
WScript\\.Sh|Shell\\.Application|Location: file:' \
$acl_m_ud" >/dev/null}{1}{0}}
accept
_______________________________________________
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
