Skip to content

This python based milter (mail-filter) checks an incoming mail for suspicious VBA macro code in MS 20xx Office attachments (doc, xls, ppt ...).

License

Notifications You must be signed in to change notification settings

sbidy/MacroMilter

Repository files navigation

Version 3.6.1

Build Status

Changelog 3.6.1:

  • Fix for tmp filehandle error
  • Add new config option for dumping the mail body for forensics

Changelog 3.6:

  • fixing multiple issues and bugs (#41 , #38, #37, #35, #31, #30)
  • Add MIME header for the different stages.
  • The hash db is updated to SHA256 instead of MD5. Old MD5 hashes still supported.

Contributing

I need some code review and help to make this milter better! If you find some bugs or the code is "creepy" -> feel free to contribute :) To contribute, please fork this repository and make pull requests to the master or testing branch.

Branches

master = production grade and tested implementation

testing = only for testing and non-prod. environments

Abstract

This python based milter for the Sendmail and Postfix e-mail servers (mail-filter) checks an incoming mail for MS 20xx Office attachments. If a MS Office file is attached to the mail it will be scanned for suspicious VBA macro code. Documents with malicious macros are removed and replaced by harmless text files or will be rejected to the sender (see config.ini).

Supported Office formats:

  • Word 97-2003 (.doc, .dot), Word 2007+ (.docm, .dotm)
  • Excel 97-2003 (.xls), Excel 2007+ (.xlsm, .xlsb)
  • PowerPoint 97-2003 (.ppt), PowerPoint 2007+ (.pptm, .ppsm)
  • Word 2003 XML (.xml)
  • Word/Excel Single File Web Page / MHTML (.mht)
  • Publisher (.pub)

Paper (german only) -> download link

Video / Talk (german only) -> HdM-events

Chemnitzer Linux Tage 2018 - Talk -> CLT2018

The repo is optimized for Visual Studio

Features

  • Parsing VBA macros for suspicious code and function calls
  • Uses the milter interface at postfix and sendmail
  • Easy to implement
  • Not based on virus heuristics (high detection rate)
  • Whitelisting
  • Creates a hashtable for already scanned files (prevents rescans)
  • Runs at the pre-queue at postfix

Dependencies

This milter use the functionality from the oletools (https://bitbucket.org/decalage/oletools) and pymilter (https://pythonhosted.org/milter/) projects.

Installation

Debian and Ubuntu

Download the "install_ubuntu.sh" script from the repo - install_ubuntu.sh. It creates and downloads all required files and packages. Please use for Ubunut 14.10 and higher the "old" systemd script part! For 14.0x and older please use the upstart part!

Fedora

dnf install macromilter
systemctl enable --now macromilter.service

postconf -e smtpd_milters=inet:127.0.0.1:3690 milter_default_action=accept
systemctl reload postfix.service

Red Hat Enterprise Linux and CentOS

yum install epel-release  # Only if EPEL is not already enabled

yum install macromilter
systemctl enable --now macromilter.service

postconf -e smtpd_milters=inet:127.0.0.1:3690 milter_default_action=accept
systemctl reload postfix.service

User whitelist

To allow a user or whole domain to send false-positive VAB-Macro-Mails, enter only the user mail address ([email protected]) or the domain (@domain.com). See config.ini for more details.

Macro whitelist

To allow only a special and wellknown macro code, add the SHA256 hash to the Macrohash part in the configuration file. You will find the raw macro hash in the macromilter log file INFO [ID] The macro hash is: <the sha256 value>. Please use only this one! Keep in mind, that the file hash has also to be deleted form the "hashdatabse".

TBD

  • Config-File error handling
  • HTML-Dashboard
  • Setup-package for pip

Authors

Stephan Traub - Sbidy -> https://github.com/sbidy

Robert Scheck - robert-scheck -> https://www.robert-scheck.de/

Credits

Philippe Lagadec https://github.com/decalage2 - oletools

Stuart D. Gathman https://github.com/sdgathman - pymilter

License

The MIT License (MIT)

About

This python based milter (mail-filter) checks an incoming mail for suspicious VBA macro code in MS 20xx Office attachments (doc, xls, ppt ...).

Resources

License

Stars

Watchers

Forks

Packages

No packages published