[Esd-l] macro scanning...

John D. Hardin jhardin at impsec.org
Sat Nov 1 10:28:02 PST 2003

On Sat, 1 Nov 2003, Agung Kuswanto   NCS wrote:

> If we want sanitizer to be able to strip off any office attachment
> contains any macro. Is there a need to customise the sanitizer
> code? or is it sufficient to play with score settings?

Oh! Okay. Now I understand.

The scanner is currently only scanning for malicious macro/VBA code.

It would be fairly difficult to reliably detect *any* macro this way,
as the list of macro and VBA keywords is large and macros and VBA code
can be very simple.

A better way would be to understand the internal format of the Word
and Excel documents, and check to see whether there are any macro or
code objects defined. That's unfortunately well beyond the scope of
the sanitizer script.

I don't know whether there are any Word or Excel object libraries for
Perl on CPAN. That would be a good place to look.

There are also lots of open-source Word viewers that might be
modifiable to do this. I don't know of any open-source Excel-aware
packages that are lighter-weight than Gnumeric or Open Office...

Once you had such a program, it would be easy to add a call into the
sanitizer after the document has been save to a file for scanning. But
doing such scanning within the current sanitizer is difficult.

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  "...people who like assault weapons they should join the United
  States Army, we have them."
                              -- Gen. Wesley Clark, candidate, on CNN

  "Germans who wish to use firearms should join the SS or the SA -
  ordinary citizens don't need guns, as their having guns doesn't
  serve the State."
                              -- Heinrich Himmler
   4 days until Matrix Revolutions

More information about the esd-l mailing list