detect executables embedded inside MS Office documents?

Julian Field MailScanner at ecs.soton.ac.uk
Mon Apr 7 11:43:15 IST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Gerard wrote:
> On Sun, 06 Apr 2008 16:00:45 -0700
> Scott Silva <ssilva at sgvwater.com> wrote:
>
>   
>> on 4-6-2008 8:09 AM Julian Field spake the following:
>>     
>>> Ignore all previous requests for information. I've got enough of
>>> it, pretty much.
>>> The only thing I cannot handle is inserted OLE "Packages" that
>>> contain multiple files. If someone fancies creating one of those
>>> and sending it to me, I'll improve the Package parser to cope with
>>> it.
>>>
>>> But it now works with files inserted into Microsoft Office
>>> documents just fine.
>>>
>>> This will be in the next release.
>>> I guess it's a fairly major new feature, the ability to extract
>>> embedded files from Microsoft Office documents.
>>> :-)
>>>
>>> I think I'm going to have a rest now...
>>>
>>>       
>> Poking another hole in the Microsoft armor was a big task. A well
>> deserved rest it will be!!
>>     
>
> The use of OLE makes the creation of highly detailed documents far
> easier and accurate. The scanning of said documents when emailed I
> would assume to be a plus. However, if the scanning action breaks the
> OLE bonds then then cure is far worst than the disease.
>   
What do you mean, "breaks the OLE bonds"? I don't have a clue what 
you're talking about.
> I have been sending these type of documents to colleagues for years
> without incident. A few years ago Symantec did categorize some of them
> as a VIRUS; however, that was a false positive and they quickly revised
> their definition files to reflect that.
>
> By the way, I usually send these files encrypted via PGP. How will/does
> MailScanner work on that type of document?
>   
Obviously MailScanner cannot parse messages which have been encrypted 
with PGP. Whether such things are allowed is controlled by the relevant 
Encryption settings in MailScanner.conf.

Jules

- -- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.2 (Build 3005)
Comment: (pgp-secured)
Charset: ISO-8859-1

wj8DBQFH+frEEfZZRxQVtlQRAkJjAJ9oFUpeOJZ/4rMjiK5bMtwKUqQ85QCg8TeL
1RGq0guPfjtoPE2tk6fu3Jo=
=O33p
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list