Mail::SpamAssassin::Plugin::OLEVBMacro(3pm)

1Mail::SpamAssassin::PluUgsienr::COoLnEtVrBiMbauctreodM(a3Pi)elr:l:SDpoacmuAmsesnatsastiino:n:Plugin::OLEVBMacro(3)
2
3
4

NAME

6       Mail::SpamAssassin::Plugin::OLEVBMacro - scan Office documents for
7       evidence of OLE Macros or other exploits
8

SYNOPSIS

10         loadplugin Mail::SpamAssassin::Plugin::OLEVBMacro
11
12         ifplugin Mail::SpamAssassin::Plugin::OLEVBMacro
13           body     OLEMACRO eval:check_olemacro()
14           describe OLEMACRO Attachment has an Office Macro
15
16           body     OLEOBJ eval:check_oleobject()
17           describe OLEOBJ Attachment has an Ole Object
18
19           body     OLERTF eval:check_olertfobject()
20           describe OLERTF Attachment has an Ole Rtf Object
21
22           body     OLEMACRO_MALICE eval:check_olemacro_malice()
23           describe OLEMACRO_MALICE Potentially malicious Office Macro
24
25           body     OLEMACRO_ENCRYPTED eval:check_olemacro_encrypted()
26           describe OLEMACRO_ENCRYPTED Has an Office doc that is encrypted
27
28           body     OLEMACRO_RENAME eval:check_olemacro_renamed()
29           describe OLEMACRO_RENAME Has an Office doc that has been renamed
30
31           body     OLEMACRO_ZIP_PW eval:check_olemacro_zip_password()
32           describe OLEMACRO_ZIP_PW Has an Office doc that is password protected in a zip
33
34           body     OLEMACRO_CSV eval:check_olemacro_csv()
35           describe OLEMACRO_CSV Malicious csv file that tries to exec cmd.exe detected
36
37           body     OLEMACRO_DOWNLOAD_EXE eval:check_olemacro_download_exe()
38           describe OLEMACRO_DOWNLOAD_EXE Malicious code inside the Office doc that tries to download a .exe file detected
39
40           body     OLEMACRO_URI_TARGET eval:check_olemacro_redirect_uri()
41           describe OLEMACRO_URI_TARGET Uri inside an Office doc
42
43           body     OLEMACRO_MHTML_TARGET eval:check_olemacro_mhtml_uri()
44           describe OLEMACRO_MHTML_TARGET Exploitable mhtml uri inside an Office doc
45         endif
46

DESCRIPTION

48       This plugin detects OLE Macros or other exploits inside Office
49       documents attached to emails.  It can detect documents inside zip files
50       as well as encrypted documents.
51

REQUIREMENT

53       This plugin requires Archive::Zip and IO::String perl modules.
54

USER PREFERENCES

56       The following options can be used in both site-wide ("local.cf") and
57       user-specific ("user_prefs") configuration files to customize how the
58       module handles attached documents
59
60       olemacro_num_mime (default: 5)
61           Configure the maximum number of matching MIME parts (attachments)
62           the plugin will scan.
63
64       olemacro_num_zip (default: 8)
65           Configure the maximum number of matching files inside the zip to
66           scan.  To disable zip scanning, set 0.
67
68       olemacro_zip_depth (default: 2)
69           Depth to recurse within zip files.
70
71       olemacro_extended_scan ( 0 | 1 ) (default: 0)
72           Scan all files for potential office files and/or macros, the
73           "olemacro_skip_exts" parameter will still be honored.  This
74           parameter is off by default, this option is needed only to run
75           "eval:check_olemacro_renamed" rule.  If this is turned on consider
76           adjusting values for "olemacro_num_mime" and "olemacro_num_zip" and
77           prepare for more CPU overhead.
78
79       olemacro_prefer_contentdisposition ( 0 | 1 ) (default: 1)
80           Choose if the content-disposition header filename be preferred if
81           ambiguity is encountered whilst trying to get filename.
82
83       olemacro_max_file (default: 1024000)
84           Limit the amount of bytes that the plugin will decode and scan from
85           the MIME objects (attachments).
86
87       olemacro_exts (default:
88       (?:doc|docx|dot|pot|ppa|pps|ppt|rtf|sldm|xl|xla|xls|xlsx|xlt|xltx|xslb)$)
89           Set the case-insensitive regexp used to configure the extensions
90           the plugin targets for macro scanning.
91
92       olemacro_macro_exts (default:
93       (?:docm|dotm|ppam|potm|ppst|ppsm|pptm|sldm|xlm|xlam|xlsb|xlsm|xltm|xps)$)
94           Set the case-insensitive regexp used to configure the extensions
95           the plugin treats as containing a macro.
96
97       olemacro_skip_exts (default: (?:dotx|potx|ppsx|pptx|sldx)$)
98           Set the case-insensitive regexp used to configure extensions for
99           the plugin to skip entirely, these should only be guaranteed macro
100           free files.
101
102       olemacro_skip_ctypes (default: ^(?:text\/))
103           Set the case-insensitive regexp used to configure content types for
104           the plugin to skip entirely, these should only be guaranteed macro
105           free.
106
107       olemacro_zips (default: (?:zip)$)
108           Set the case-insensitive regexp used to configure extensions for
109           the plugin to target as zip files, files listed in configs above
110           are also tested for zip.
111
112       olemacro_download_marker (default: (?:cmd(?:\.exe)? \/c ms\^h\^ta
113       ht\^tps?:\/\^\/))
114           Set the case-insensitive regexp used to match the script used to
115           download files from the Office document.
116
117
118
119perl v5.38.0                      2023M-a0i7l-:2:2SpamAssassin::Plugin::OLEVBMacro(3)