[Mimedefang] Virus File getting through...
renaud pascal
renaud.pascal at atosorigin.com
Fri Feb 29 12:21:23 EST 2008
Le vendredi 29 février 2008, Kevin A. McGrail a écrit :
> I've seen a new attack vector where a PDF file (from outward appearances)
> contains a trojan called downloader BUT the pdf is embedded in a Word
> Document.
>
> This vector bypasses McAfee and Symantec for the word document but seemingly
> catches the PDF file directly.
>
> I've placed this file on a website:
>
> ***WARNING: THIS IS A MALICIOUS FILE****
>
> http://www.peregrinehw.com/html/downloads/junk/word_document_with_virus-trojan-downloader.doc
>
> ***WARNING: THIS IS A MALICIOUS FILE
Hey, that's three times you say it's a .doc!
> ****
>
> Anyone have any thoughts about how to block this?
Yes, but not so practical in a PHB environment, add it to the $bad_exts
> I think ClamAV catches it
> and I'm testing that but I'm looking for something more elegant if this
> explodes as a new delivery method.
That may well be the time we all were waiting, panting, the time we
could explain to the users and they would understand, why the hell
sending a .doc (and akin) is just not evil but simply plain stupid ;-)
That may even be the time to eradicate a few related irating stuff,
just a couple of ideas;
$ awk 'NR>3{exit} /Msft/{print "FOOT AIM SHOOT"}'
$ awk 'NR>3{exit} /contains an embedded object/{print "KILLME"}'
Ah! I'll have to HUP this mail now as I see my PHB's coming fast
on here, looks weird, as a BBerry in one hand and doing strange
moves with the others ;->
More information about the MIMEDefang
mailing list