[Rspamd-Users] Rspamd and oletools/olefy

Thomas thomas at plant.systems
Sat Jun 29 08:02:17 UTC 2019 

Am 28.06.2019 um 20:32 schrieb Carsten Rosenberg:
> On 28.06.19 15:31, Thomas Plant via Users wrote:
>> Hello all,
>>
>> I'm trying to configure rspamd with oletools, but do not get any symbol
>> in the results of rspamd.
>> The debug output of 'external_services' says that it found a macro:
> ...
>> 2019-06-28 15:16:42 #27243(rspamd_proxy) <6f555b>; oletools;
>> oletools.lua:157: oletools: macros found - code: , ole_stream:
>> Macros/VBA/ThisDocument, vba_filename: ThisDocument.cls
>> 2019-06-28 15:16:42 #27243(rspamd_proxy) <6f555b>; oletools;
>> oletools.lua:157: oletools: macros found - code: , ole_stream:
>> Macros/VBA/NewMacros, vba_filename: NewMacros.bas
>> 2019-06-28 15:16:42 #27243(rspamd_proxy) <6f555b>; oletools;
>> oletools.lua:164: oletools: threat found - type: AutoExec, keyword:
>> AutoOpen, description: Runs when the Word document is opened
>> 2019-06-28 15:16:42 #27243(rspamd_proxy) <6f555b>; oletools;
>> common.lua:38: oletools: Scanned Macro is OK
>> 2019-06-28 15:16:42 #27243(rspamd_proxy) <6f555b>; oletools;
>> common.lua:186: oletools: saved cached result for
>> rs_oletools_923ec07f9eb20f45ba2be24ce78f3d29c549d2a823de5fdee21417745b7f14518910f37b71f41964e2401250e72a8eeb5d0383722f1cf331949f62123fa0b546:
>> OK - score 1
>>
>> But there is no OLETOOLS symbol set in the mailheaders.
>>
>> local.d/external_services.conf looks the following (is the default
>> example in the docs):
>>
> ...
>>
>> But still no symbol seen in the headers or rspamd.log.
>>
>> Regards,
>> Thomas
> 
> Hi Thomas,
> 
> this is the intended behavior as documented in the man page. oletools
> should restrict macros using function combinations that could be used to
> install trojans etc.
> 
> In this case a macro needs to be automatically started maybe at
> DocumentOpen or DocumentSave. Also the macro need to execute code
> somehow - like opening a shell or placing a file into the an autostart
> folder. These functions are categorized with AutoExec and Suspicious
> 
> In your case oletools just found an AutoExec categorized function and no
> Suspicious one. As the logs told you: "Scanned Macro is OK".
> 
> If you just want to reject every office file with macros, you can much
> easier enable Clamav doing this for you.
> 
> Also its possible with oletools, but you have to enable extended mode
> and have to pattern match the oletool projects output.
> 
> https://rspamd.com/doc/modules/external_services.html#oletools-extended-mode
> 
> https://github.com/decalage2/oletools/wiki/olevba
> 
> Kind regards
> Carsten
> 

Thanks for the clarification. Overlooked the line in the rspamd docs:

"In the default mode the oletools module will set the result when at
least one AutoExec and one Suspicious function is used."

Maybe it's the almost 40°C temperature here around ;-)

Again thanks and nice weekend,
Thomas

More information about the Users mailing list