[Rspamd-Users] Rspamd and oletools/olefy

Carsten Rosenberg cr at ncxs.de
Fri Jun 28 18:32:15 UTC 2019 

On 28.06.19 15:31, Thomas Plant via Users wrote:
> Hello all,
> 
> I'm trying to configure rspamd with oletools, but do not get any symbol
> in the results of rspamd.
> The debug output of 'external_services' says that it found a macro:
...
> 2019-06-28 15:16:42 #27243(rspamd_proxy) <6f555b>; oletools;
> oletools.lua:157: oletools: macros found - code: , ole_stream:
> Macros/VBA/ThisDocument, vba_filename: ThisDocument.cls
> 2019-06-28 15:16:42 #27243(rspamd_proxy) <6f555b>; oletools;
> oletools.lua:157: oletools: macros found - code: , ole_stream:
> Macros/VBA/NewMacros, vba_filename: NewMacros.bas
> 2019-06-28 15:16:42 #27243(rspamd_proxy) <6f555b>; oletools;
> oletools.lua:164: oletools: threat found - type: AutoExec, keyword:
> AutoOpen, description: Runs when the Word document is opened
> 2019-06-28 15:16:42 #27243(rspamd_proxy) <6f555b>; oletools;
> common.lua:38: oletools: Scanned Macro is OK
> 2019-06-28 15:16:42 #27243(rspamd_proxy) <6f555b>; oletools;
> common.lua:186: oletools: saved cached result for
> rs_oletools_923ec07f9eb20f45ba2be24ce78f3d29c549d2a823de5fdee21417745b7f14518910f37b71f41964e2401250e72a8eeb5d0383722f1cf331949f62123fa0b546:
> OK - score 1
> 
> But there is no OLETOOLS symbol set in the mailheaders.
> 
> local.d/external_services.conf looks the following (is the default
> example in the docs):
> 
...
> 
> But still no symbol seen in the headers or rspamd.log.
> 
> Regards,
> Thomas

Hi Thomas,

this is the intended behavior as documented in the man page. oletools
should restrict macros using function combinations that could be used to
install trojans etc.

In this case a macro needs to be automatically started maybe at
DocumentOpen or DocumentSave. Also the macro need to execute code
somehow - like opening a shell or placing a file into the an autostart
folder. These functions are categorized with AutoExec and Suspicious

In your case oletools just found an AutoExec categorized function and no
Suspicious one. As the logs told you: "Scanned Macro is OK".

If you just want to reject every office file with macros, you can much
easier enable Clamav doing this for you.

Also its possible with oletools, but you have to enable extended mode
and have to pattern match the oletool projects output.

https://rspamd.com/doc/modules/external_services.html#oletools-extended-mode

https://github.com/decalage2/oletools/wiki/olevba

Kind regards
Carsten

More information about the Users mailing list