Closed mallorybobalice closed 8 years ago
mallorybobalice
commented
8 years ago hmmm, am i thinking of
https://github.com/spender-sandbox/cuckoo-modified/blob/master/conf/cuckoo.conf
terminate_processes = off->on ^ it's not quite force terminate, more like 'ask nicely to exit with associated exit routines'
[timeouts]
default = 120
critical = 60
?? or will that not work?
mallorybobalice
commented
8 years ago hmmm the terminate process option definitely doesn't help here . any ideas?
spender-sandbox
commented
8 years ago We already had support for it, but it only worked for older Office versions. I just committed a change that will handle it for newer Office as well.
-Brad
mallorybobalice
commented
8 years ago Hum thanks Brad will try tomorrow. Hmm no wonder I thought I saw it in human py. (A while back )
Right, so, if I'm reading it correctly err It'll try it 30s after opening? Once. By window title. Word excel PowerPoint, if file type submitted matches? . This is on no way related to the analysis timeouts in cuckoo. Conf, except should be enough time for 30s plus a bit more for obvious reasons, correct ?
mallorybobalice
commented
8 years ago Sweet, thank you Brad
seeing a few samples in the wild recently that trigger macros on doc close instead of open. except they don't since in the guest they (the office processes) never get closed.
what's the way to make child vms close word /excel etc after a timeout, or as 'last resort' before the vm timeout? (and to manage the timeout vs vm getting reset timeout). happy to enable a generic 'terminate package app' type setting if there