Printable View
The Wolfman has been assigned the task of finding all Macro's on his network servers. Does anyone know of a Macro scanner that can be used to:
1) locate documents that contains macro's
2) locate macro code (VBScript?)
Is there a unique document header that is created when a macro has been added to a document? If so, can it be scanned?
Thanks
Hmm... What kind of file server? If you're using m$ 2003, you can run reports on file types. Create a file group with all of the filetypes you want to look for. Then create a new filescreen template to report on that file group you just created. There are many filegroups already there by default.
Office 2007 uses a different filetypes for macroenabled files. docm for a macroenabled word file. dotm for a macroenabled template, etc. I realize that not that many places have upgraded their files from the 97-2003 format to the 2007 format. The new file types have not been added to the default file groups, you must modify the existing group or create a new one.
http://www.microsoft.com/technet/tec...05/GetControl/
http://technet2.microsoft.com/window....mspx?mfr=true
If you're using Group Policy, you could be evil and increase your macro security... when they start calling about macro security and their files not working properly, you can inspect the file and add that file to the exception list. I don't know how big of an organization you have there and if people would get pissed about this approach... ;) Plus, it'd probably create a lot of headaches for your support department.
BTW: If you're trying to identify malicious m$ files, check out the following tool from snort.org I haven't been able to get it to work with wildcards, but a little bit of scripting to get a list of all the files you want to check and if it returns "safe", then ignore and move to next file. If it doesn't return safe, then log to a file for further review.
http://www.snort.org/vrt/tools/officecat.html
Thanks Phishphreek for the reply. The Wolfman is aware of OfficeCat. It's a good utility but only scans for a few MS vulnerabilities and nothing else.
Blocking the execution of a Macro with GPO will work, but won't solve my original issue, how to identify Macro's on a network?
Does anyone else know a utility to locate Macro's on a network?