From 7e1ab7978eec83ebb9a6be2d1b4baeb58e5097d6 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Wed, 23 Nov 2022 18:56:16 +0100 Subject: [PATCH] Block VBA Stomping too --- core/rspamd/conf/composites.conf | 2 +- core/rspamd/conf/external_services.conf | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/core/rspamd/conf/composites.conf b/core/rspamd/conf/composites.conf index d7031520..28a3e9c3 100644 --- a/core/rspamd/conf/composites.conf +++ b/core/rspamd/conf/composites.conf @@ -5,7 +5,7 @@ OLETOOLS_MACRO_MRAPTOR { score = 20.0; } OLETOOLS_MACRO_SUSPICIOUS { - expression = "OLETOOLS & OLETOOLS_SUSPICIOUS"; + expression = "OLETOOLS_SUSPICIOUS | OLETOOLS_VBASTOMP"; message = "Rejected (malicious macro)"; policy = "leave"; score = 20.0; diff --git a/core/rspamd/conf/external_services.conf b/core/rspamd/conf/external_services.conf index 2a918caa..267a9d80 100644 --- a/core/rspamd/conf/external_services.conf +++ b/core/rspamd/conf/external_services.conf @@ -13,6 +13,7 @@ oletools { OLETOOLS_MACRO = '^.....M..$'; OLETOOLS_AUTOEXEC = '^A....M..$'; OLETOOLS_SUSPICIOUS = '^.....MS.$'; + OLETOOLS_VBASTOMP = '^.....M.V$'; # see https://github.com/decalage2/oletools/blob/master/oletools/mraptor.py OLETOOLS_A = '(?i)\b(?:Auto(?:Exec|_?Open|_?Close|Exit|New)|Document(?:_?Open|_Close|_?BeforeClose|Change|_New)|NewDocument|Workbook(?:_Open|_Activate|_Close|_BeforeClose)|\w+_(?:Painted|Painting|GotFocus|LostFocus|MouseHover|Layout|Click|Change|Resize|BeforeNavigate2|BeforeScriptExecute|DocumentComplete|DownloadBegin|DownloadComplete|FileDownload|NavigateComplete2|NavigateError|ProgressChange|PropertyChange|SetSecureLockIcon|StatusTextChange|TitleChange|MouseMove|MouseEnter|MouseLeave|OnConnecting))|Auto_Ope\b'; OLETOOLS_W = '(?i)\b(?:FileCopy|CopyFile|Kill|CreateTextFile|VirtualAlloc|RtlMoveMemory|URLDownloadToFileA?|AltStartupPath|WriteProcessMemory|ADODB\.Stream|WriteText|SaveToFile|SaveAs|SaveAsRTF|FileSaveAs|MkDir|RmDir|SaveSetting|SetAttr)\b|(?:\bOpen\b[^\n]+\b(?:Write|Append|Binary|Output|Random)\b)';