[Esd-l] Trapped poisoned Microsoft attachments?
John D. Hardin
jhardin at impsec.org
Fri Feb 14 21:02:51 PST 2003
On Fri, 14 Feb 2003, Scott Taylor wrote:
> >I've been using Sanitizer for awhile now but recently I've been getting a
> >lot of bounces with the following reason:
> >
> >REPORT: Trapped poisoned Microsoft attachment
> >REPORT: Macro Scanner score: 99
> >STATUS: Message quarantined, not delivered to recipient.
>
> Macros inside Office documents make up the score. You can set the
> Max score to allow, it tells you how in John's Docs.
>
> If I were getting scores over 70 I would want to see what people
> are putting in their macros and make sure it isn't going to create
> or delete or modify any files. AFAIK, auto-start macros give a
> good high score. Check out the documents with these scores, it
> may not be something that shows up on your virus scanner, yet.
Actually, right now the cause is probably an embedded image or
external file reference, for which the default score is 99.
There's a config variable for setting the embedded image score, but if
the default is too problematic I will dial it back to 20 or so.
Comments?
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
97 days until The Matrix Reloaded
More information about the esd-l
mailing list