Home

ExeFilter - an open-source tool and framework to filter files and active content

ExeFilter is an open-source tool and python framework to filter file formats in e-mails, web pages or files. It detects many common file formats and can remove active content (scripts, macros, etc) according to a configurable policy.

Many networks are not really protected against active content which may enter up to the user workstation via e-mail, web or removable devices. Most of the common file formats such as Office documents, PDF, HTML or XML include native features which may be used to hide malicious active content or trigger XSRF and XSS attacks (see my articles about file formats security). A significant proportion of current attacks also take advantage of recent vulnerabilities discovered in various file formats to launch malicious code. The ever-increasing diversity and complexity of file formats make it hard to provide a comprehensive protection when using traditional methods such as antivirus engines and black-list filtering based on file extensions.

ExeFilter is an open-source tool and framework to improve protection against malicious active content in files. It has been designed to be either included in gateways (e-mail, web, web services, ...) or on user workstations to filter removable devices. Its unique white-list algorithm combined to a significant list of supported formats make it very effective to control which file formats are allowed to enter a secure network. It is also able to remove active content in order to receive only innocuous data.

A real-life example: recent PDF zero-day exploit (CVE-2009-4324)

PDF documents containing a new zero-day exploit for Adobe Reader 9.2 were captured in the wild in December 2009, and the corresponding vulnerability (CVE-2009-4324) was announced by Adobe on the 14th December. DEP seems to mitigate public exploits, but some claim to bypass it. A patch (Adobe Reader 9.3) was only published on the 12th January 2010... Which left a one month window, when the only solution was to disable PDF JavaScript on all computers, or to deploy everywhere the new "JavaScript Blacklist Framework" provided by Adobe. Fortunately, antivirus engines were catching up quickly and signatures were being provided, sometimes after a few days. But it is also known that these signatures may sometimes be evaded using variants of an exploit. Detecting generic exploits in PDF is far more complex than looking for static malware signatures.

Since this vulnerability is exploited using JavaScript in PDF, tests have shown that malicious PDF documents cleaned by ExeFilter become innocuous. This was also the case with previous vulnerabilities such as CVE-2009-0927. Therefore, disabling JavaScript in all incoming PDF documents with such a tool on gateways is an effective solution against this type of zero-days. You may test it easily by yourself by following these steps:

  1. Download a CVE-2009-4324 sample exploit generator from http://www.securityfocus.com/data/vulnerabilities/exploits/37331.py
  2. Run "python 37331.py exploit.pdf" to generate a sample PDF. (you may open it on a vulnerable system without DEP to check it works)
  3. Clean it using "python ExeFilter.py exploit.pdf -o cleaned.pdf".
  4. Open the file cleaned.pdf on a vulnerable machine: since Javascript is disabled in the file, the exploit is not triggered.

Publications about ExeFilter

News

  • 2010-02-24: version 1.1.2 published, see changelog for details.
  • see also news on project website.

Requirements

Download

License

Cecill: open-source, GPL compatible.

Quick Demo

ExeFilter is provided with a few sample files located in the demo_files folder.

  1. Open each file in the demo_files folder, to look at active content (javascript, macros, embedded files, etc). Note: Some samples only work on Windows.
  2. On Windows: simply run DEMO.bat, or type: ExeFilter.py demo_files -d demo_output
  3. On Unix/Linux/MacOSX: python ExeFilter.py demo_files -d demo_output
  4. Then open each file in demo_output, and compare results.

Sample usage

How to analyze one file and create a sanitized version:

On Windows: 
ExeFilter.py <source file> -o <destination file>
On Unix: 
python ExeFilter.py <source file> -o <destination file>

Notes:

  • It is possible to sanitize the file in place, by specifying the same path for source and destination.
  • ExeFilter returns different errorlevel values according to the result (clean, cleaned, blocked or error - see documentation), which may be used to automate its usage in a gateway.

How to analyze all files from a directory according to the default policy, clean active content and copy sanitized files to a destination directory:

On Windows: 
ExeFilter.py <source path> -d <destination path>
On Unix: 
python ExeFilter.py <source path> -d <destination path>

Notes:

  • Source path may be a directory, a single file, or a list of directories and files separated by spaces.
  • Destination path must be a directory.

For example, in order to analyze all files from a CDROM or a USB stick on drive D: (on Windows) and copy a sanitized version in the directory C:\import, use the following command:

ExeFilter.py D:\ -d C:\import

How to create a policy file with default options, and a HTML files describing each option:

ExeFilter.py -n policy.ini
ExeFilter.py -e default_policy.html

Then the policy.ini file may be edited using any text editor in order to modify options and filtering policy.

How to filter files using a custom policy:

ExeFilter.py <source path> -d <destination path> -p policy.ini

For more information, see the current documentation.

How to contribute

Send an e-mail to decalage(at)laposte.net if you would like to contribute to the project, send patches, bug reports, develop new filters or simply tell us you have tested the tool on a specific platform.

AttachmentSize
CanSecWest08_Lagadec_ExeFilter.pdf222.21 KB