Results 1 to 3 of 3

Thread: A Macro Scanner?

  1. #1
    Senior Member wolfman1984's Avatar
    Join Date
    Aug 2007
    Location
    fangtastic.org
    Posts
    191

    Question A Macro Scanner?

    The Wolfman has been assigned the task of finding all Macro's on his network servers. Does anyone know of a Macro scanner that can be used to:

    1) locate documents that contains macro's
    2) locate macro code (VBScript?)

    Is there a unique document header that is created when a macro has been added to a document? If so, can it be scanned?

    Thanks
    I AM... THE WOLFMAN!!
    The Wolfman's Homepage: http://www.fangtastic.org
    Do you dig the Wolfman?? Sign his Ghoulbook or listen to him Howl

  2. #2
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Hmm... What kind of file server? If you're using m$ 2003, you can run reports on file types. Create a file group with all of the filetypes you want to look for. Then create a new filescreen template to report on that file group you just created. There are many filegroups already there by default.

    Office 2007 uses a different filetypes for macroenabled files. docm for a macroenabled word file. dotm for a macroenabled template, etc. I realize that not that many places have upgraded their files from the 97-2003 format to the 2007 format. The new file types have not been added to the default file groups, you must modify the existing group or create a new one.

    http://www.microsoft.com/technet/tec...05/GetControl/
    http://technet2.microsoft.com/window....mspx?mfr=true

    If you're using Group Policy, you could be evil and increase your macro security... when they start calling about macro security and their files not working properly, you can inspect the file and add that file to the exception list. I don't know how big of an organization you have there and if people would get pissed about this approach... Plus, it'd probably create a lot of headaches for your support department.

    BTW: If you're trying to identify malicious m$ files, check out the following tool from snort.org I haven't been able to get it to work with wildcards, but a little bit of scripting to get a list of all the files you want to check and if it returns "safe", then ignore and move to next file. If it doesn't return safe, then log to a file for further review.

    http://www.snort.org/vrt/tools/officecat.html
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  3. #3
    Senior Member wolfman1984's Avatar
    Join Date
    Aug 2007
    Location
    fangtastic.org
    Posts
    191
    Thanks Phishphreek for the reply. The Wolfman is aware of OfficeCat. It's a good utility but only scans for a few MS vulnerabilities and nothing else.

    Blocking the execution of a Macro with GPO will work, but won't solve my original issue, how to identify Macro's on a network?

    Does anyone else know a utility to locate Macro's on a network?
    I AM... THE WOLFMAN!!
    The Wolfman's Homepage: http://www.fangtastic.org
    Do you dig the Wolfman?? Sign his Ghoulbook or listen to him Howl

Similar Threads

  1. Auditor possibly the best security auditing linux distro
    By acdspit00 in forum Operating Systems
    Replies: 5
    Last Post: March 15th, 2006, 04:53 PM
  2. Poblem with scanner
    By lostit44 in forum Hardware
    Replies: 4
    Last Post: February 16th, 2005, 07:43 AM
  3. Writing a port scanner in Java
    By cgkanchi in forum The Security Tutorials Forum
    Replies: 13
    Last Post: February 8th, 2005, 03:39 PM
  4. Security issues with a port scanner
    By Dnguyen in forum Programming Security
    Replies: 7
    Last Post: October 30th, 2003, 05:54 AM
  5. Protecting Yourself From Macro Exploits
    By zigar in forum The Security Tutorials Forum
    Replies: 3
    Last Post: March 9th, 2002, 02:24 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •