search

sbidy / MacroMilter

This python based milter (mail-filter) checks an incoming mail for suspicious VBA macro code in MS 20xx Office attachments (doc, xls, ppt ...).
MIT License
37 stars 14 forks source link

Implementing an EICAR like test function #59

Closed cyberbix closed 4 years ago

cyberbix commented 4 years ago

Wouldn´t it be great to have an EICAR like test function that allows to test the correct function of MacroMilter easily ?

I.e. Implementing the detection of a simple OLE-Macro: "hello_macromilter" that just writes an EICAR like string. The macro cannot harm if accidentally delivered, is easy to generate in an MS Office application and likely generates (or likely NOT generates) a log entry in MacroMilter.

To not interfere with other malware scanners on a mailserver, it differentiates clearly from EICAR or other signatures that eventually trigger another Malware scanner.

Optionally a custom reject code and message could be implemented, to signal a sending test-system that testmacro has detected and everything on MacroMilter is fine.

decalage2 commented 4 years ago

Since MacroMilter uses the MacroRaptor engine to detect if a macro is suspicious or not, you just need a three-lines macro that runs automatically (e.g. AutoOpen) and launches a command, for example shell "calc.exe". For example for Word:

Private Sub Document_Open()
  Shell "calc.exe"
End Sub

AFAIK MacroMilter does not rely on antivirus signatures, so it will not detect EICAR. What you need is a VBA macro that triggers MacroRaptor. More info: https://github.com/decalage2/oletools/wiki/mraptor

sbidy commented 4 years ago

@decalage2 thank you for the fast response and answer!