[Esd-l] ms word macro virus block?

John D. Hardin jhardin at impsec.org
Fri Mar 14 06:36:17 PST 2003 

On Fri, 14 Mar 2003, Kenneth Porter wrote:

> Bob Pietruszka <bobp at tbcc.cc.or.us> wrote:
> 
> > My question is whether there is any way in the sanitizer to block macro
> > viruses such as this one?? I am using version 1.126 of the sanitizer with
> > Sendmail.
> 
> Upgrade? That's a pretty old version. Viruses change quickly, so you need
> to keep your counter-measures updated frequently if you want to have any
> hope of defending yourself.

...that sort of upgrade treadmill is one thing the sanitizer is
designed to avoid. The sanitizer's macro scanner has been stable for a
long time. The only real change in the past several months has been
adding the embedded image and file reference scoring.

1.126 is fairly old, but it probably should have caught the macro
unless it's using some really new tricks.

Several possibilities:

1) The nomacroscan version of the sanitizer is in use.

2) Macro scanning was turned off, or was set to score-only.

3) The macro-poisoned-score was set higher than what the document
scored.

4) There was some sort of whitelist that disabled some part of the
sanitizer for this message.

5) The macro scanner in 1.126 doesn't detect this macro.

There are two suggestions:

1) Upgrade to the current macro scanning version of the sanitizer and
verify that you are indeed doing macro scanning and that your poison
score is set to around 40-50, and

2) if possible, zip and send me a copy of the infected document so I
can see whether any new strings need to be added to the macro scanner.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
 ...voice or no voice, the people can always be brought to the bidding
 of the leaders. That is easy. All you have to do is tell them they
 are being attacked and denounce the pacifists for lack of patriotism
 and exposing the country to danger. It works the same way in any
 country.
                                            -- Hermann Goering
-----------------------------------------------------------------------
   69 days until The Matrix Reloaded

More information about the esd-l mailing list