On Tue, 6 Sep 2016, Dianne Skoll wrote:
On Tue, 6 Sep 2016 17:50:25 -0400
Alex <mysqlstud...@gmail.com> wrote:
[snip]
Workbook_Open
Document_Open
Auto_Open
AutoOpen
Is there a simple way to identify whether the attachment/macro
contains those listed functions, without the ability to use
mimedefang?
Not that I know of, though you could write a SpamAssassin plugin, I suppose.
Our algorithm simply searches for those strings in an Office documents if
macros were detected. The newer docx, xlsx, etc. variants are simply
zip files in disguise, so we pipe those through "unzip -p"
While a document could contain macros, and contain one of those strings
just by coincidence, we judged the margin of error to be good enough for
our purposes.
All in all, it's fiddly, tedious, and requires a fair bit of Perl programming.
It's also quite resource-intensive, so make sure you have the CPU horsepower.
There's already a set of "Sanesecurity" 3'rd party signatures designed to detect
bad stuff in M$ document files (Excell/Word macros, etc) (called
'badmacro.ndb').
I would assume this set of patterns could be incorporated into those sigs (but I
don't have enough experience doing this kind of thing to know for sure.)
It's pretty straight-forward to connect a ClamAV scanning instance to SA using
the ClamAV plugin. I run two ClamAV instances, one with just the official sigs
as a MTA blocking milter and the second with all kinds of 3'rd party sigs as a
spam-scoring engine for SA.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
