[Esd-l] macro scanner: defang instead of refuse

Kenneth Porter shiva at well.com
Mon Jun 3 09:09:02 PDT 2002

I'm getting a lot of hits from the macro scanner with scores like 141,
and I'm suspecting these are from documents that were touched by someone
who was previously infected but not infected any longer, and there are
just viral fragments in the files. Some of these files pass through the
hands of upper management, so there's some pressure to expedite getting
them "automagically" past the scanner.

I think it would work if these files were just defanged and local IT
personnel could defang and RTF-convert them. Is there a way to get this
to happen?

Here's a typical dump from the scanner (v1.133):

Macro Scanner score: 141
Macro Scanner score details:
     2 for STDOLE
     4 for Document_Close
     2 for stdole
     1 for ThisDocument
     2 for NormalTemplate
     1 for ActiveDocument
     2 for NormalTemplate
    99 for VirusProtection
     9 for CountOfLines
     2 for Options'
     2 for CodeModule
     1 for PrivateProfileString
     9 for AddFromString
     4 for ID="{CCC0C717-E3DC-11D2-840C-006008D2B810}"
     1 for ThisDocument

More information about the esd-l mailing list