This is a must, since my server is well known and very exposed, I get almost all versions of zero-day trojans, each and every day… They would gently pass any antivirus solution, without problem (I have Kaspersky on the mail server, Clam on the firewall, and Avira on the Workstations : just a bunch of useless crap. This way, 99,5% of the spam and 100% of the viruses are stopped before reaching my (so precious) users.
#MDAEMON UBUNTU PDF#
I also make use of your PDF tool, even if it is not able to scan 100% of the documents.
docx would raise a “mitsmatch” and… a quarantine. I added a module that identifies the attachments both by their extensions and their signature, and process them accordingly. It comes as an addon of my (own-brewed) antispam, Spam-HL, which itself is called by my mail server (MDaemon). It is easy to remove and quarantine possibly dangerous documents (by their extensions), but you cannot refuse those office documents because they are part of our administrative work.Īnd this is where oledump.py play a very useful role. Nowadays, those trojan loaders (2 or 3 stages) are very poorly detected by antiviruses. I use sys.exit(exitcode) where exitcode is set when a document contains macro module. Exactly what I do, with your precious tool. Typically, if you run an enterprise mail server, as I do (for, let say an administration, sort of), you should quarantine each and every office document containing VBA. This program requires Python module OleFileIO_PL:
#MDAEMON UBUNTU INSTALL#
If you install the YARA Python module, you can scan the streams with YARA rules:Īnd if you suspect that the content of a stream is encoded, for example with XOR, you can try to brute-force the XOR key with a simple decoder I provide (or you can develop your own decoder in Python): This allows you to store your malware samples in password protected zip files (password infected), and then analyze them without having to extract them. Like many of my analysis programs, oledump.py can analyze a file inside a (password protected) zip file. You might have noticed that the file analyzed in the above screenshot is a zip file. Plugin plugin_http_heuristics.py uses a couple of tricks to extract URLs from malicious, obfuscated VBA macros, like this: You can write plugins (in Python) to analyze streams. Use option -v to decompress the VBA macros:
#MDAEMON UBUNTU CODE#
The source code of VBA macros is compressed when stored inside a stream. You can select a stream to dump its content: The letter M next to stream 7, 8, 9 and 10 indicate that the stream contains VBA macros.
xls file and it will show you the streams:
Oledump has an embedded man page: run oledump.py -m to view it. ppt, … are OLE files (docx, xlsx, … is the new file format: XML inside ZIP). Many applications use this file format, the best known is MS Office.doc. oledump allows you to analyze these streams. Oledump.py is a program to analyze OLE files ( Compound File Binary Format).
0 kommentar(er)
