Wie teste ich, ob rspamd mit den OLEtools funktioniert
Carsten Rosenberg
cr at ncxs.de
Do Nov 28 11:08:03 CET 2019
Hallo Frank,
danke für die Datei. Da ist tatsächlich eine neue Variante des AutoExec
drin. die aktuelle Git Version von oletools hat das schon integriert:
+----------+----------------+-----------------------------------------+
|Type |Keyword |Description |
+----------+----------------+-----------------------------------------+
|AutoExec |Image1_Click |Runs when the file is opened and ActiveX |
| | |objects trigger events |
|AutoExec |Image1_MouseMove|Runs when the file is opened and ActiveX |
| | |objects trigger events |
|Suspicious|Open |May open a file |
|Suspicious|Output |May write to a file (if combined with Open) |
|Suspicious|Print # |May write to a file (if combined with Open) |
|Suspicious|MkDir |May create a directory |
|Suspicious|CreateObject |May create an OLE object |
|Suspicious|CallByName |May attempt to obfuscate malicious function |
| | |calls |
|Suspicious|Chr |May attempt to obfuscate specific strings|
| | |(use option --deobf to deobfuscate) |
|Suspicious|VBA obfuscated |VBA string expressions were detected, may be |
| |Strings |used to obfuscate strings (option --decode to|
| | |see all)
+----------+--------------------+-------------------------------------+
Die git Version kannst du so benutzen:
git clone --recurse-submodules https://github.com/decalage2/oletools.git
/opt/oletools
und in /etc/olefy.conf:
OLEFY_OLEVBA_PATH=/opt/oletools/oletools/olevba.py
VG Carsten
On 27.11.19 12:03, Frank Fiene wrote:
> Wo soll ich sie dir hinlegen?
>
> Aktuelle Virenpattern erkennen die Datei schon als Virus.
>
>
> Viele Grüße!
Mehr Informationen über die Mailingliste Postfixbuch-users