Blocking of WMF
rcooper at dwford.com
Tue Mar 24 15:44:24 GMT 2009
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf
> Of Mike M
> Sent: Tuesday, March 24, 2009 10:56 AM
> To: mailscanner at lists.mailscanner.info
> Subject: Re: Blocking of WMF
> Jethro R Binks wrote:
> > On Tue, 17 Mar 2009, Jethro R Binks wrote:
> >> but we very often see "image1.wmf", "image2.wmf", etc
> discovered too.
> >> Very often, the sending user is completely oblivious to
> the presence of
> >> images in the document (zip file), nor what to do to
> remove them or save
> >> them as something else, and at least in the case of the
> >> content, this is something that the application itself has
> >> without the user knowing about it.
> > ...
> > Neither this, nor the other thread where I mentioned:
> >> I have often thought that it would useful for MailScanner
> to have some
> >> context when applying the filename rules, to give some
> flexibility. So
> >> for example it might permit all or certain .wmf if it
> knows it has found
> >> them while digging around in an Office 2007 zip doc.
> Perhaps another
> >> field in filename.rules.conf that is a list of context matches
> >> ('zip,msofficezip'), with a default of "all contexts".
> > solicited much response.
> > I would like to add something else to the mix: when an
> objectional file in
> > an archive is found, that as well as listing the
> objectional file and the
> > reason, that the name of the archive is also available.
> > I currently have a case in hand where someone has sent
> several Word and
> > Powerpoint documents in one message, and received a
> rejection from us
> > complaining about:
> >> Report: Possible format attack in Windows (image3.wmf)
> >> Report: Possible format attack in Windows (image4.wmf)
> >> Report: Possible format attack in Windows (image5.wmf)
> >> Report: Possible format attack in Windows (image9.wmf)
> >> Report: Possible format attack in Windows (image2.wmf)
> >> Report: Possible format attack in Windows (image1.wmf)
> > but there appears to be no way to know which of the several
> > caused the problem, other than to have him send them all
> > And if someone can point me at a resource that explains the
> prevelance of
> > "image1.wmf", "image2.wmf", etc, in MS Office documents,
> I'd be grateful.
> > (This particular sender insists that his Word documents contained
> > absolutely no images, although there's a Powerpoint
> document in the mix
> > too).
> I don't know why office 2007 documents use .wmf files in them, but
> they've gotten so common that I've simply had to allow all .wmf files
> since I can't just block them outside of the office documents. It's
> unfortunate, but blocking .wmf is becoming equivalent to
> blocking .docx,
> .xlsx and .pptx with the current way MS handles archives and is only
> getting worse as more people adopt 2007. It appears as though
> as long as
> your patched, then wmf's are safe, but that's only good until
> the next
> zero day.
> I second the request to show in a more apparent way what the source
> archive file is when MS detects a file inside an archive that
> it's blocking.
How about if it logged like :
Archive Filename Checks: (1Lm8hH-0002we-Gd 11_03_frames.rar ->
And the system admin reports was:
Report: MailScanner: Do Not Allow EXEs In Archive (11_03_frames.rar ->
rule desc archive
And the SystemWarning.txt was (same as above):
MailScanner: Do Not Allow EXEs In Archive (11_03_frames.rar ->
I had to set up a special rule to catch the exe in an archive as I generally
pass most exes if they are in an archive, but the above logging could be
done in a few lines without adding the special archivefilename/type rules
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner