|
|
@ -2,12 +2,14 @@
|
|
|
|
oletools {
|
|
|
|
oletools {
|
|
|
|
# default olefy settings
|
|
|
|
# default olefy settings
|
|
|
|
servers = "{{ OLETOOLS_ADDRESS }}:11343"
|
|
|
|
servers = "{{ OLETOOLS_ADDRESS }}:11343"
|
|
|
|
|
|
|
|
|
|
|
|
# needs to be set explicitly for Rspamd < 1.9.5
|
|
|
|
# needs to be set explicitly for Rspamd < 1.9.5
|
|
|
|
scan_mime_parts = true;
|
|
|
|
scan_mime_parts = true;
|
|
|
|
extended = true;
|
|
|
|
extended = true;
|
|
|
|
max_size = 3145728;
|
|
|
|
max_size = 3145728;
|
|
|
|
timeout = 20.0;
|
|
|
|
timeout = 20.0;
|
|
|
|
retransmits = 1;
|
|
|
|
retransmits = 1;
|
|
|
|
|
|
|
|
|
|
|
|
patterns {
|
|
|
|
patterns {
|
|
|
|
OLETOOLS_MACRO_FOUND= '^.....M..$';
|
|
|
|
OLETOOLS_MACRO_FOUND= '^.....M..$';
|
|
|
|
OLETOOLS_AUTOEXEC = '^A....M..$';
|
|
|
|
OLETOOLS_AUTOEXEC = '^A....M..$';
|
|
|
@ -18,6 +20,7 @@ oletools {
|
|
|
|
OLETOOLS_W = '(?i)\b(?:FileCopy|CopyFile|Kill|CreateTextFile|VirtualAlloc|RtlMoveMemory|URLDownloadToFileA?|AltStartupPath|WriteProcessMemory|ADODB\.Stream|WriteText|SaveToFile|SaveAs|SaveAsRTF|FileSaveAs|MkDir|RmDir|SaveSetting|SetAttr)\b|(?:\bOpen\b[^\n]+\b(?:Write|Append|Binary|Output|Random)\b)';
|
|
|
|
OLETOOLS_W = '(?i)\b(?:FileCopy|CopyFile|Kill|CreateTextFile|VirtualAlloc|RtlMoveMemory|URLDownloadToFileA?|AltStartupPath|WriteProcessMemory|ADODB\.Stream|WriteText|SaveToFile|SaveAs|SaveAsRTF|FileSaveAs|MkDir|RmDir|SaveSetting|SetAttr)\b|(?:\bOpen\b[^\n]+\b(?:Write|Append|Binary|Output|Random)\b)';
|
|
|
|
OLETOOLS_X = '(?i)\b(?:Shell|CreateObject|GetObject|SendKeys|RUN|CALL|MacScript|FollowHyperlink|CreateThread|ShellExecuteA?|ExecuteExcel4Macro|EXEC|REGISTER|SetTimer)\b|(?:\bDeclare\b[^\n]+\bLib\b)';
|
|
|
|
OLETOOLS_X = '(?i)\b(?:Shell|CreateObject|GetObject|SendKeys|RUN|CALL|MacScript|FollowHyperlink|CreateThread|ShellExecuteA?|ExecuteExcel4Macro|EXEC|REGISTER|SetTimer)\b|(?:\bDeclare\b[^\n]+\bLib\b)';
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
# mime-part regex matching in content-type or filename
|
|
|
|
# mime-part regex matching in content-type or filename
|
|
|
|
mime_parts_filter_regex {
|
|
|
|
mime_parts_filter_regex {
|
|
|
|
#UNKNOWN = "application\/octet-stream";
|
|
|
|
#UNKNOWN = "application\/octet-stream";
|
|
|
|