Mail::SpamAssassin::Plugin::OLEVBMacro − search attached documents for evidence of containing an OLE Macro
loadplugin
Mail::SpamAssassin::Plugin::OLEVBMacro
ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro
body OLEMACRO eval:check_olemacro()
describe OLEMACRO Attachment has an Office Macro
body OLEMACRO_MALICE eval:check_olemacro_malice()
describe OLEMACRO_MALICE Potentially malicious Office Macro
body OLEMACRO_ENCRYPTED eval:check_olemacro_encrypted()
describe OLEMACRO_ENCRYPTED Has an Office doc that is
encrypted
body OLEMACRO_RENAME eval:check_olemacro_renamed()
describe OLEMACRO_RENAME Has an Office doc that has been
renamed
body OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
describe OLEMACRO_ZIP_PW Has an Office doc that is password
protected in a zip
body OLEMACRO_CSV eval:check_olemacro_csv()
describe OLEMACRO_CSV Malicious csv file that tries to exec
cmd.exe detected
body OLEMACRO_DOWNLOAD_EXE
eval:check_olemacro_download_exe()
describe OLEMACRO_DOWNLOAD_EXE Malicious code inside the
Office doc that tries to download a .exe file detected
endif
This plugin detects OLE Macro inside documents attached to emails. It can detect documents inside zip files as well as encrypted documents.
This plugin requires Archive::Zip and IO::String perl modules.
The following
options can be used in both site-wide ("local.cf")
and user-specific ("user_prefs") configuration
files to customize how the module handles attached documents
olemacro_num_mime (default: 5)
Configure the maximum number of matching MIME parts the plugin will scan
olemacro_num_zip (default: 8)
Configure the maximum number of matching zip members the plugin will scan
olemacro_zip_depth (default: 2)
Depth to recurse within Zip files
olemacro_extended_scan ( 0 | 1 ) (default: 0)
Scan more files for potential macros, the "olemacro_skip_exts" parameter will still be honored. This parameter is off by default, this option is needed only to run "eval:check_olemacro_renamed" rule. If this is turned on consider adjusting values for "olemacro_num_mime" and "olemacro_num_zip" and prepare for more CPU overhead
olemacro_prefer_contentdisposition ( 0 | 1 ) (default: 1)
Choose if the content-disposition header filename be preferred if ambiguity is encountered whilst trying to get filename
olemacro_max_file (default: 1024000)
Configure the largest file that the plugin will decode from the MIME objects
olemacro_exts (default:
(?:doc|docx|dot|pot|ppa|pps|ppt|rtf|sldm|xl|xla|xls|xlsx|xlt|xltx|xslb)$)
Set the case-insensitive regexp used to configure the extensions the plugin targets for macro scanning
olemacro_macro_exts (default:
(?:docm|dotm|ppam|potm|ppst|ppsm|pptm|sldm|xlm|xlam|xlsb|xlsm|xltm|xltx|xps)$)
Set the case-insensitive regexp used to configure the extensions the plugin treats as containing a macro
olemacro_skip_exts (default: (?:dotx|potx|ppsx|pptx|sldx|xltx)$)
Set the case-insensitive regexp used to configure extensions for the plugin to skip entirely, these should only be guaranteed macro free files
olemacro_skip_ctypes (default: ˆ(?:text\/))
Set the case-insensitive regexp used to configure content types for the plugin to skip entirely, these should only be guaranteed macro free
olemacro_zips (default: (?:zip)$)
Set the case-insensitive regexp used to configure extensions for the plugin to target as zip files, files listed in configs above are also tested for zip