[Esd-l] macro scanning...

Agung Kuswanto NCS kagung at ncs.com.sg
Mon Nov 3 22:14:47 PST 2003 

Thanks for your recommendations.

There are few library on CPAN to read/write ms excel file. But unfortunately
they can't detect any macro, and according to them macro in excel file is
not documented.

Btw, how's the content filtering program knows there's a macro inside office
attachment regardless malicious or not. 

Thanks & Best Regards
Agung K

-----Original Message-----
From: John D. Hardin [mailto:jhardin at impsec.org] 
Sent: Sunday, November 02, 2003 2:28 AM
To: Agung Kuswanto NCS
Cc: ''esd-l at spconnect.com' '
Subject: RE: [Esd-l] macro scanning...


On Sat, 1 Nov 2003, Agung Kuswanto   NCS wrote:

> If we want sanitizer to be able to strip off any office attachment 
> contains any macro. Is there a need to customise the sanitizer code? 
> or is it sufficient to play with score settings?

Oh! Okay. Now I understand.

The scanner is currently only scanning for malicious macro/VBA code.

It would be fairly difficult to reliably detect *any* macro this way, as the
list of macro and VBA keywords is large and macros and VBA code can be very
simple.

A better way would be to understand the internal format of the Word and
Excel documents, and check to see whether there are any macro or code
objects defined. That's unfortunately well beyond the scope of the sanitizer
script.

I don't know whether there are any Word or Excel object libraries for Perl
on CPAN. That would be a good place to look.

There are also lots of open-source Word viewers that might be modifiable to
do this. I don't know of any open-source Excel-aware packages that are
lighter-weight than Gnumeric or Open Office...

Once you had such a program, it would be easy to add a call into the
sanitizer after the document has been save to a file for scanning. But doing
such scanning within the current sanitizer is difficult.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  "...people who like assault weapons they should join the United
  States Army, we have them."
                              -- Gen. Wesley Clark, candidate, on CNN

  "Germans who wish to use firearms should join the SS or the SA -
  ordinary citizens don't need guns, as their having guns doesn't
  serve the State."
                              -- Heinrich Himmler
-----------------------------------------------------------------------
   4 days until Matrix Revolutions

More information about the esd-l mailing list