Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 0 subscribers
  • Views 10645 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to Block Flash embedded Excel attachments ?

Pubudu

Hi All, First of all let me wish all of you a Happy and prosperous “2010”.

I have implemented PureMessage for Unix 5.5.9 as the email gateway. I’’’’m very happy with PMX performance but have a issue for which I need advice.

I am filtering unwanted attachments using “pmx_attachment_true_filetype” scanning and I’’’’m blocking attachments as per the MIME types. However this technique fails to detect Flash embedded Microsoft excel attachments. I Want to block users sending excel files with flash embedded games and videos but don’’’’t want to block normal excel content.

Greatly appreciated if someone can advice me on how to achieve my requirement…

Thanks in advance,

Pubudu.

:631


This thread was automatically locked due to age.
Parents
  • 0

    Hey Pubudu,

    Happy 2010!

    The best thing to do in this situation is to put the file on a PMX system and run the following command as the pmx user:

    $ pmx-list-true-filetypes <path>/<Name of your Excel document.extension>

    The results of this command will show you the various components of the file  and how the virus engine within PMX sees this file.  Sophos calls this True Filetype Dectection or TFT.  If it were a zip, containing a txt file you should see both in the output.

    For all types currently recognized:

    $ pmx-list-true-filetypes -v

    If the engine can find distinguishable characteristics between the Flash Embedded Excel file, and a normal Excel file, you can create a nested policy.siv rule to accomplish this and avoid false positives.  I can't tell you off-hand if the engine detects an embedded Flash, so you will need to test it out.

    $ man pmx-policy

    (search for pmx_attachment_true_filetype)

    There are some examples of how to use the output from the pmx-list-true-filetype command.

    Please give this a try and post the pmx-list-true-filetype output.  We can take it from there.

    Cheers.

    :639
Reply
  • 0

    Hey Pubudu,

    Happy 2010!

    The best thing to do in this situation is to put the file on a PMX system and run the following command as the pmx user:

    $ pmx-list-true-filetypes <path>/<Name of your Excel document.extension>

    The results of this command will show you the various components of the file  and how the virus engine within PMX sees this file.  Sophos calls this True Filetype Dectection or TFT.  If it were a zip, containing a txt file you should see both in the output.

    For all types currently recognized:

    $ pmx-list-true-filetypes -v

    If the engine can find distinguishable characteristics between the Flash Embedded Excel file, and a normal Excel file, you can create a nested policy.siv rule to accomplish this and avoid false positives.  I can't tell you off-hand if the engine detects an embedded Flash, so you will need to test it out.

    $ man pmx-policy

    (search for pmx_attachment_true_filetype)

    There are some examples of how to use the output from the pmx-list-true-filetype command.

    Please give this a try and post the pmx-list-true-filetype output.  We can take it from there.

    Cheers.

    :639
Children
No Data
Unfiltered HTML