[Mimedefang] Checking Office XML Files

Kevin A. McGrail KMcGrail at PCCC.com
Thu Apr 13 10:25:52 EDT 2017


On 4/13/2017 9:43 AM, Dianne Skoll wrote:
> On Thu, 13 Apr 2017 07:15:24 -0400
> "Kevin A. McGrail" <KMcGrail at pccc.com> wrote:
>
>> Any ideas how to reliably detect if they are password protected
>> Office files and deal with them appropriately?
> :) Funny you should ask!  We do this in CanIt.
>
> There's a program called "lsar" that can print out all kinds of useful info
> about all kinds of archive formats, including MS Office files.  Some encrypted
> office files contain a subfile called "EncryptionInfo" while for others,
> "lsar" issues an "XADIsEncrypted" attribute.
>
> So you can key off those.
>
> On Debian, "lsar" is part of the "unar" package.
We are on similar pages there.

lsar does indeed identify it correctly.

It was really my mistake thinking that all office xml (docx, xlsx, etc) 
were zip files.

It appears encrypted ones are not!



More information about the MIMEDefang mailing list