Blocking password protected office documents (Heino Backhaus)

[Daniel Brunt]

Heino,

Back in January/February I tried blocking CDF V2 but found it also blocked a lot of non-password protected documents.
I was using :
	deny      CDF V2 Document           No password-protected documents        No password-protected documents allowed

But both password-protected and OLE file types were blocked by "CDF V2 Document".  
"CDF" = Compound Document Format "and is related to OLE/COM. It refers to linking and embedding objects, for example, Excel charts in Word documents."

I could not find a way to block just password-protected documents.  If your findings contradict mine, I would be curious to know more...

Daniel


----------------------------------------------------------------------

Message: 1
Date: Tue, 9 May 2017 12:55:46 +0200
From: Heino Backhaus <heino.backhaus at fink-computer.de>
To: MailScanner Discussion <mailscanner at lists.mailscanner.info>
Subject: Re: Blocking password protected office documents
Message-ID: <b7a6d7fd-58fe-da04-74d2-616c357fa47e at fink-computer.de>
Content-Type: text/plain; charset="windows-1252"

Hi Mark,

sorry there seems to be a fault in my tests. Don't know what. Anyway, today everything is working as expected.

I'm filtering now Composite and CDFV2 with the following entrys in
filetype.rules.conf:

deny    Composite    No Password protected Office Documents  Password
protected Office Documents are often malicious
deny    CDFV2           No Password protected Office Documents  Password
protected Office Documents are often malicious

Thanks for Answering.


Am 06.05.2017 um 07:09 schrieb Mark Sapiro:
> On 05/04/2017 12:57 AM, Heino Backhaus wrote:
>> The question is, how should an entry for this look like?
>> I've allready tried this:
>>
>> deny    Composite     -        -
>>
>> But it didn't work...
>
>
> Try with something other than '-' for the log and report text, and 
> ensure you're using tabs as field delimiters.q
>