[Esd-l] macro scanner: defang instead of refuse

John D. Hardin jhardin at impsec.org
Mon Jun 3 15:57:00 PDT 2002

On 3 Jun 2002, Kenneth Porter wrote:

> Somewhere I read that some "cleaners" leave the deactivated virus
> in Office so its remnants show up in all future files. (Anyone
> know where I read this?)

Probably here. That's been my observation; I've looked at some
documents with large macro scores using vi and seen what looked like
mangled VBA virus code.

> I wonder if OpenOffice has separate command line converters that
> could be run inline to do the doc-rtf-doc conversion before it
> hits the user's mailbox?

That'd be slick, but a rather heavyweight solution...

> Has anyone worked out a better way than email to share documents between
> groups, esp. when the composition of the groups is constantly changing?
> Windows shares are the first thing that comes to mind, but I fear
> managing the group memberships would become prohibitive as the
> membership changes frequently. IMO that's why email is so popular for
> file sharing.

How is managing a group membership list easer than managing a mailing
list alias entry (or delegating individual mailing list management
onto a dozen or more users)?

Some points to ponder:

1. a shared file area can be backed up

2. a shared file area can be easily scanned

3. the shared file area will always have the current revision

4. base-64 encoding a file causes it to grow in size by about 40%

5. do you *really* want to be devoting all that disk space to peoples'
inboxes and sent mail folders storing multiple copies of already
bloated Word documents that are 40% larger simply because they're in a
mailbox as a file attachment?

