Mail::SpamAssassin::Plugin::OLEVBMacro(3pm)

1Mail::SpamAssassin::PluUgsienr::COoLnEtVrBiMbauctreodM(a3Pi)elr:l:SDpoacmuAmsesnatsastiino:n:Plugin::OLEVBMacro(3)
2
3
4

NAME

6       Mail::SpamAssassin::Plugin::OLEVBMacro - search attached documents for
7       evidence of containing an OLE Macro
8

SYNOPSIS

10         loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro
11
12         ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro
13           body     OLEMACRO eval:check_olemacro()
14           describe OLEMACRO Attachment has an Office Macro
15
16           body     OLEMACRO_MALICE eval:check_olemacro_malice()
17           describe OLEMACRO_MALICE Potentially malicious Office Macro
18
19           body     OLEMACRO_ENCRYPTED eval:check_olemacro_encrypted()
20           describe OLEMACRO_ENCRYPTED Has an Office doc that is encrypted
21
22           body     OLEMACRO_RENAME eval:check_olemacro_renamed()
23           describe OLEMACRO_RENAME Has an Office doc that has been renamed
24
25           body     OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
26           describe OLEMACRO_ZIP_PW Has an Office doc that is password protected in a zip
27
28           body     OLEMACRO_CSV eval:check_olemacro_csv()
29           describe OLEMACRO_CSV Malicious csv file that tries to exec cmd.exe detected
30         endif
31

DESCRIPTION

33       This plugin detects OLE Macro inside documents attached to emails.  It
34       can detect documents inside zip files as well as encrypted documents.
35

REQUIREMENT

37       This plugin requires Archive::Zip and IO::String perl modules.
38

USER PREFERENCES

40       The following options can be used in both site-wide ("local.cf") and
41       user-specific ("user_prefs") configuration files to customize how the
42       module handles attached documents
43
44       olemacro_num_mime (default: 5)
45           Configure the maximum number of matching MIME parts the plugin will
46           scan
47
48       olemacro_num_zip (default: 8)
49           Configure the maximum number of matching zip members the plugin
50           will scan
51
52       olemacro_zip_depth (default: 2)
53           Depth to recurse within Zip files
54
55       olemacro_extended_scan ( 0 | 1 ) (default: 0)
56           Scan more files for potential macros, the "olemacro_skip_exts"
57           parameter will still be honored.  This parameter is off by default,
58           this option is needed only to run "eval:check_olemacro_renamed"
59           rule.  If this is turned on consider adjusting values for
60           "olemacro_num_mime" and "olemacro_num_zip" and prepare for more CPU
61           overhead
62
63       olemacro_prefer_contentdisposition ( 0 | 1 ) (default: 1)
64           Choose if the content-disposition header filename be preferred if
65           ambiguity is encountered whilst trying to get filename
66
67       olemacro_max_file (default: 1024000)
68           Configure the largest file that the plugin will decode from the
69           MIME objects
70
71       olemacro_exts (default:
72       (?:doc|docx|dot|pot|ppa|pps|ppt|rtf|sldm|xl|xla|xls|xlsx|xlt|xltx|xslb)$)
73           Set the case-insensitive regexp used to configure the extensions
74           the plugin targets for macro scanning
75
76       olemacro_macro_exts (default:
77       (?:docm|dotm|ppam|potm|ppst|ppsm|pptm|sldm|xlm|xlam|xlsb|xlsm|xltm|xltx|xps)$)
78           Set the case-insensitive regexp used to configure the extensions
79           the plugin treats as containing a macro
80
81       olemacro_skip_exts (default: (?:dotx|potx|ppsx|pptx|sldx|xltx)$)
82           Set the case-insensitive regexp used to configure extensions for
83           the plugin to skip entirely, these should only be guaranteed macro
84           free files
85
86       olemacro_skip_ctypes (default: ^(?:text\/))
87           Set the case-insensitive regexp used to configure content types for
88           the plugin to skip entirely, these should only be guaranteed macro
89           free
90
91       olemacro_zips (default: (?:zip)$)
92           Set the case-insensitive regexp used to configure extensions for
93           the plugin to target as zip files, files listed in configs above
94           are also tested for zip
95
96
97
98perl v5.30.1                      2020M-a0i2l-:0:3SpamAssassin::Plugin::OLEVBMacro(3)