This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to Block Flash embedded Excel attachments ?

Hi All, First of all let me wish all of you a Happy and prosperous “2010”.

I have implemented PureMessage for Unix 5.5.9 as the email gateway. I’’’’m very happy with PMX performance but have a issue for which I need advice.

I am filtering unwanted attachments using “pmx_attachment_true_filetype” scanning and I’’’’m blocking attachments as per the MIME types. However this technique fails to detect Flash embedded Microsoft excel attachments. I Want to block users sending excel files with flash embedded games and videos but don’’’’t want to block normal excel content.

Greatly appreciated if someone can advice me on how to achieve my requirement…

Thanks in advance,

Pubudu.

:631


This thread was automatically locked due to age.
  • Hey Pubudu,

    Happy 2010!

    The best thing to do in this situation is to put the file on a PMX system and run the following command as the pmx user:

    $ pmx-list-true-filetypes <path>/<Name of your Excel document.extension>

    The results of this command will show you the various components of the file  and how the virus engine within PMX sees this file.  Sophos calls this True Filetype Dectection or TFT.  If it were a zip, containing a txt file you should see both in the output.

    For all types currently recognized:

    $ pmx-list-true-filetypes -v

    If the engine can find distinguishable characteristics between the Flash Embedded Excel file, and a normal Excel file, you can create a nested policy.siv rule to accomplish this and avoid false positives.  I can't tell you off-hand if the engine detects an embedded Flash, so you will need to test it out.

    $ man pmx-policy

    (search for pmx_attachment_true_filetype)

    There are some examples of how to use the output from the pmx-list-true-filetype command.

    Please give this a try and post the pmx-list-true-filetype output.  We can take it from there.

    Cheers.

    :639

  • Hi Mark,

    Thanks for the feedback. I followed your advice but looks like PMX cannot see a difference between the two files. Please see below outputs. Is there anything else I can try??

    Many Thanks,
    Pubudu.

    Normal Excel file:


    Bcs.xls:
        extensions:
            .ole2
            .xls
            .xlt
        filetypes:
            Spreadsheet/Microsoft Excel-OLE
        mime types:
            application/ms-excel
            application/msexcel
            application/vnd.ms-excel
            application/x-msexcel
            application/x-ole2


    Excel file with Flash:

    red_wine.xls:
        extensions:
            .ole2
            .xls
            .xlt
        filetypes:
            Spreadsheet/Microsoft Excel-OLE
        mime types:
            application/ms-excel
            application/msexcel
            application/vnd.ms-excel
            application/x-msexcel
            application/x-ole2




    Diff output of two files:

    Please note that only file names are different.


    [root@pmx tmp]# diff  normal.txt   FlashExcel.txt
    1c1
    < Bcs.xls:
    ---
    > red_wine.xls:
    [root@pmx tmp]

    :641
  • Hey Pubudu,

    At this time, it doesn't look like the engine can decipher the difference between the two Excel spreadsheet as you have seen.

    You can submit the sample to Sophos Technical Support or through the following link:

    https://secure.sophos.com/support/samples/

    Please identify in the comments your description of the type of file and that you would like to see the Flash component detected.

    Alternatively, if you engage the support team, they can submit it to the labs to see if a TFT identity for this type of sample is possible.

    Cheers,

    :643