Trouble removing Word macros

decalage2 / exefilter

ExeFilter is an open-source tool and framework to filter file formats in e-mails, web pages or files. It detects many common file formats and can remove active content (scripts, macros, etc) according to a configurable policy.

http://www.decalage.info/exefilter

Other

65 stars 28 forks source link

Trouble removing Word macros #2

Open ashlineldridge opened 7 years ago

ashlineldridge commented 7 years ago

Hi,

I'm attempting to use ExeFilter.py to remove Word macros on Mac and Linux. When I run ExeFilter.py against a .doc file with macros it reports that it cleaned the file but scanning the file with Clamav still reports Heuristics.OLE2.ContainsMacros FOUND.

I've tested this with both version 1.1.3 and version 1.1.4-alpha6 and get the same results. Could you advise as to whether complete macro removal is possible with ExeFilter such that Clamav would not report an error?

Thanks,

Ashlin.

decalage2 commented 7 years ago

Hi Ashlin, I would say it is normal, because on Mac and Linux, ExeFilter only renames one of the VBA streams so that Word and Excel do not find it. In practice this is enough to disable macros, but some scanners such as ClamAV can still see the VBA data.

That issue does not happen on Windows, because ExeFilter uses the system DLLs to actually remove the VBA stream from the file.

A solution would be to use the recent write features of olefile, to wipe out the VBA streams data completely. Not sure when I can do it, though.