Is there a unique document header that is created when a macro has been added to a document? If so, can it be scanned?
October 1st, 2007, 11:47 PM
Hmm... What kind of file server? If you're using m$ 2003, you can run reports on file types. Create a file group with all of the filetypes you want to look for. Then create a new filescreen template to report on that file group you just created. There are many filegroups already there by default.
Office 2007 uses a different filetypes for macroenabled files. docm for a macroenabled word file. dotm for a macroenabled template, etc. I realize that not that many places have upgraded their files from the 97-2003 format to the 2007 format. The new file types have not been added to the default file groups, you must modify the existing group or create a new one.
If you're using Group Policy, you could be evil and increase your macro security... when they start calling about macro security and their files not working properly, you can inspect the file and add that file to the exception list. I don't know how big of an organization you have there and if people would get pissed about this approach... ;) Plus, it'd probably create a lot of headaches for your support department.
BTW: If you're trying to identify malicious m$ files, check out the following tool from snort.org I haven't been able to get it to work with wildcards, but a little bit of scripting to get a list of all the files you want to check and if it returns "safe", then ignore and move to next file. If it doesn't return safe, then log to a file for further review.