detect executables embedded inside MS Office documents?

[Gerard]

On Sun, 06 Apr 2008 16:00:45 -0700
Scott Silva <ssilva at sgvwater.com> wrote:

> on 4-6-2008 8:09 AM Julian Field spake the following:
> > Ignore all previous requests for information. I've got enough of
> > it, pretty much.
> > The only thing I cannot handle is inserted OLE "Packages" that
> > contain multiple files. If someone fancies creating one of those
> > and sending it to me, I'll improve the Package parser to cope with
> > it.
> > 
> > But it now works with files inserted into Microsoft Office
> > documents just fine.
> > 
> > This will be in the next release.
> > I guess it's a fairly major new feature, the ability to extract
> > embedded files from Microsoft Office documents.
> > :-)
> > 
> > I think I'm going to have a rest now...
> > 
> Poking another hole in the Microsoft armor was a big task. A well
> deserved rest it will be!!

The use of OLE makes the creation of highly detailed documents far
easier and accurate. The scanning of said documents when emailed I
would assume to be a plus. However, if the scanning action breaks the
OLE bonds then then cure is far worst than the disease.

I have been sending these type of documents to colleagues for years
without incident. A few years ago Symantec did categorize some of them
as a VIRUS; however, that was a false positive and they quickly revised
their definition files to reflect that.

By the way, I usually send these files encrypted via PGP. How will/does
MailScanner work on that type of document?


-- 
Gerard
gerard at seibercom.net

My favorite sandwich is peanut butter, baloney, cheddar cheese, lettuce
and mayonnaise on toasted bread with catsup on the side.

	Senator Hubert Humphrey
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.mailscanner.info/pipermail/mailscanner/attachments/20080407/063e7fb1/signature-0001.bin