Blocking of WMF

Tue Mar 24 15:44:24 GMT 2009

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info 
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf 
> Of Mike M
> Sent: Tuesday, March 24, 2009 10:56 AM
> To: mailscanner at lists.mailscanner.info
> Subject: Re: Blocking of WMF
> 
> Jethro R Binks wrote:
> > On Tue, 17 Mar 2009, Jethro R Binks wrote:
> > 
> >> but we very often see "image1.wmf", "image2.wmf", etc 
> discovered too.
> >>
> >> Very often, the sending user is completely oblivious to 
> the presence of 
> >> images in the document (zip file), nor what to do to 
> remove them or save 
> >> them as something else, and at least in the case of the 
> "thumbnail.wmf" 
> >> content, this is something that the application itself has 
> generated 
> >> without the user knowing about it.
> > ...
> > 
> > Neither this, nor the other thread where I mentioned:
> > 
> >> I have often thought that it would useful for MailScanner 
> to have some 
> >> context when applying the filename rules, to give some 
> flexibility.  So 
> >> for example it might permit all or certain .wmf if it 
> knows it has found 
> >> them while digging around in an Office 2007 zip doc.  
> Perhaps another 
> >> field in filename.rules.conf that is a list of context matches 
> >> ('zip,msofficezip'), with a default of "all contexts".
> > 
> > solicited much response.
> > 
> > I would like to add something else to the mix: when an 
> objectional file in 
> > an archive is found, that as well as listing the 
> objectional file and the 
> > reason, that the name of the archive is also available.
> > 
> > I currently have a case in hand where someone has sent 
> several Word and 
> > Powerpoint documents in one message, and received a 
> rejection from us 
> > complaining about:
> > 
> >> Report: Possible format attack in Windows (image3.wmf)
> >> Report: Possible format attack in Windows (image4.wmf)
> >> Report: Possible format attack in Windows (image5.wmf)
> >> Report: Possible format attack in Windows (image9.wmf)
> >> Report: Possible format attack in Windows (image2.wmf)
> >> Report: Possible format attack in Windows (image1.wmf)
> > 
> > but there appears to be no way to know which of the several 
> attachments 
> > caused the problem, other than to have him send them all 
> individually.
> > 
> > And if someone can point me at a resource that explains the 
> prevelance of 
> > "image1.wmf", "image2.wmf", etc, in MS Office documents, 
> I'd be grateful.  
> > (This particular sender insists that his Word documents contained 
> > absolutely no images, although there's a Powerpoint 
> document in the mix 
> > too).
> > 
> 
> I don't know why office 2007 documents use .wmf files in them, but 
> they've gotten so common that I've simply had to allow all .wmf files 
> since I can't just block them outside of the office documents.  It's 
> unfortunate, but blocking .wmf is becoming equivalent to 
> blocking .docx, 
> .xlsx and .pptx with the current way MS handles archives and is only 
> getting worse as more people adopt 2007. It appears as though 
> as long as 
> your patched, then wmf's are safe, but that's only good until 
> the next 
> zero day.
> 
> I second the request to show in a more apparent way what the source 
> archive file is when MS detects a file inside an archive that 
> it's blocking.
> 

How about if it logged like :
	Archive Filename Checks:  (1Lm8hH-0002we-Gd 11_03_frames.rar ->
11_03_frames.exe)
						MSgID           Archive
Blocked name/type

And the system admin reports was:

Report: MailScanner: Do Not Allow EXEs In Archive (11_03_frames.rar ->
11_03_frames.exe)
				rule desc                    archive
blocked name/type

And the SystemWarning.txt was (same as above):

   MailScanner: Do Not Allow EXEs In Archive (11_03_frames.rar ->
11_03_frames.exe)

I had to set up a special rule to catch the exe in an archive as I generally
pass most exes if they are in an archive, but the above logging could be
done in a few lines without adding the special archivefilename/type rules
feature

Rick

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.