1Mail::SpamAssassin::PluUgsienr::COoLnEtVrBiMbauctreodM(a3Pi)elr:l:SDpoacmuAmsesnatsastiino:n:Plugin::OLEVBMacro(3)
2
3
4
6 Mail::SpamAssassin::Plugin::OLEVBMacro - search attached documents for
7 evidence of containing an OLE Macro
8
10 loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro
11
12 ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro
13 body OLEMACRO eval:check_olemacro()
14 describe OLEMACRO Attachment has an Office Macro
15
16 body OLEMACRO_MALICE eval:check_olemacro_malice()
17 describe OLEMACRO_MALICE Potentially malicious Office Macro
18
19 body OLEMACRO_ENCRYPTED eval:check_olemacro_encrypted()
20 describe OLEMACRO_ENCRYPTED Has an Office doc that is encrypted
21
22 body OLEMACRO_RENAME eval:check_olemacro_renamed()
23 describe OLEMACRO_RENAME Has an Office doc that has been renamed
24
25 body OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
26 describe OLEMACRO_ZIP_PW Has an Office doc that is password protected in a zip
27
28 body OLEMACRO_CSV eval:check_olemacro_csv()
29 describe OLEMACRO_CSV Malicious csv file that tries to exec cmd.exe detected
30
31 body OLEMACRO_DOWNLOAD_EXE eval:check_olemacro_download_exe()
32 describe OLEMACRO_DOWNLOAD_EXE Malicious code inside the Office doc that tries to download a .exe file detected
33 endif
34
36 This plugin detects OLE Macro inside documents attached to emails. It
37 can detect documents inside zip files as well as encrypted documents.
38
40 This plugin requires Archive::Zip and IO::String perl modules.
41
43 The following options can be used in both site-wide ("local.cf") and
44 user-specific ("user_prefs") configuration files to customize how the
45 module handles attached documents
46
47 olemacro_num_mime (default: 5)
48 Configure the maximum number of matching MIME parts the plugin will
49 scan
50
51 olemacro_num_zip (default: 8)
52 Configure the maximum number of matching zip members the plugin
53 will scan
54
55 olemacro_zip_depth (default: 2)
56 Depth to recurse within Zip files
57
58 olemacro_extended_scan ( 0 | 1 ) (default: 0)
59 Scan more files for potential macros, the "olemacro_skip_exts"
60 parameter will still be honored. This parameter is off by default,
61 this option is needed only to run "eval:check_olemacro_renamed"
62 rule. If this is turned on consider adjusting values for
63 "olemacro_num_mime" and "olemacro_num_zip" and prepare for more CPU
64 overhead
65
66 olemacro_prefer_contentdisposition ( 0 | 1 ) (default: 1)
67 Choose if the content-disposition header filename be preferred if
68 ambiguity is encountered whilst trying to get filename
69
70 olemacro_max_file (default: 1024000)
71 Configure the largest file that the plugin will decode from the
72 MIME objects
73
74 olemacro_exts (default:
75 (?:doc|docx|dot|pot|ppa|pps|ppt|rtf|sldm|xl|xla|xls|xlsx|xlt|xltx|xslb)$)
76 Set the case-insensitive regexp used to configure the extensions
77 the plugin targets for macro scanning
78
79 olemacro_macro_exts (default:
80 (?:docm|dotm|ppam|potm|ppst|ppsm|pptm|sldm|xlm|xlam|xlsb|xlsm|xltm|xltx|xps)$)
81 Set the case-insensitive regexp used to configure the extensions
82 the plugin treats as containing a macro
83
84 olemacro_skip_exts (default: (?:dotx|potx|ppsx|pptx|sldx|xltx)$)
85 Set the case-insensitive regexp used to configure extensions for
86 the plugin to skip entirely, these should only be guaranteed macro
87 free files
88
89 olemacro_skip_ctypes (default: ^(?:text\/))
90 Set the case-insensitive regexp used to configure content types for
91 the plugin to skip entirely, these should only be guaranteed macro
92 free
93
94 olemacro_zips (default: (?:zip)$)
95 Set the case-insensitive regexp used to configure extensions for
96 the plugin to target as zip files, files listed in configs above
97 are also tested for zip
98
99
100
101perl v5.34.0 2021M-a0i7l-:2:3SpamAssassin::Plugin::OLEVBMacro(3)