ExeFilter - an open-source tool and framework to filter files and active content

ExeFilter is an open-source tool and python framework to filter file formats in e-mails, web pages or files. It detects many common file formats and can remove active content (scripts, macros, etc) according to a configurable policy.

Many networks are not really protected against active content which may enter up to the user workstation via e-mail, web or removable devices. Most of the common file formats such as Office documents, PDF, HTML or XML include native features which may be used to hide malicious active content or trigger XSRF and XSS attacks (see my articles about file formats security). A significant proportion of current attacks also take advantage of recent vulnerabilities discovered in various file formats to launch malicious code. The ever-increasing diversity and complexity of file formats make it hard to provide a comprehensive protection when using traditional methods such as antivirus engines and black-list filtering based on file extensions.

ExeFilter is an open-source tool and framework to improve protection against malicious active content in files. It has been designed to be either included in gateways (e-mail, web, web services, ...) or on user workstations to filter removable devices. Its unique white-list algorithm combined to a significant list of supported formats make it very effective to control which file formats are allowed to enter a secure network. It is also able to remove active content in order to receive only innocuous data.

Real-life example: malicious PDF files

Most of the malicious PDF files seen since 2008-2009 use native PDF features such as JavaScript or Launch actions to trigger their payload or to allow the exploitation of vulnerabilities. Since ExeFilter is able to clean PDF files by removing active content, it is effective against most of these malicious PDF files, even against zero-day exploits before they are discovered. See the following articles for more details:

Main Features

  • Filter files according to a configurable white list policy: only allowed file types can go through.
  • Unique filtering algorithm based on 1) file extension - 2) file contents - 3) active content detection and removal
  • Recognizes the most common file formats: HTML, text, PDF, RTF, MS Word, Excel, Powerpoint, Project, Zip, JPEG, PNG, GIF, BMP, AVI, WAV, MP3.
  • Can detect, remove or disable active content in some formats:
    • HTML: JavaScript, VBScript, script URLs, Java applets, objects such as Flash, Iframes.
    • PDF: JavaScript, Launch actions, Embedded files (effective against most current PDF malware, even zero-day exploits)
    • MS Word/Excel/Powerpoint: VBA Macros, OLE Package objects
    • RTF: OLE Package objects
  • Recursive analysis of files into containers such as Zip.
  • The output of the filter is only clean files with a recognized/allowed format, no active content, no executable file. The risk of launching malicious code is dramatically reduced.
  • Can integrate antivirus engines such as ClamAV (clamd) or F-Prot for increased protection.
  • Graphical User Interface
  • Command-line interface
  • Python API
  • Can be integrated as a custom filter in Clearswift Mailsweeper
  • optional logging (file, syslog) and archiving
  • can generate HTML and XML reports
  • Portable: runs at least on Windows, GNU/Linux and Mac OSX.
  • Open-source license, GPL compatible.

Publications about ExeFilter

News

  • 2011-05-18: Portable ExeFilter can be run anywhere without installing anything
  • 2011-05-01 v1.1.4-alpha4: added a new scan-only mode (both CLI and GUI)
  • 2011-02-21 v1.1.4-alpha3: added a new GUI using wxPython
  • 2010-09-12 v1.1.4-alpha1: improved PDF sanitization with Origami
  • 2010-06-19 v1.1.3: new mini GUI, improved PDF sanitization with PDFiD
  • 2010-02-24: version 1.1.2 published, see changelog for details.
  • see also news on project website.

Screenshots

ExeFilter GUI on GNU/Linux Ubuntu

ExeFilter GUI on GNU/Linux Ubuntu

ExeFilter GUI on Mac OSX

Requirements

Download

License

Cecill: open-source, GPL compatible.

Quick Demo

ExeFilter is provided with a few sample files located in the demo_files folder.

  1. Open each file in the demo_files folder, to look at active content (javascript, macros, embedded files, etc). Note: Some samples only work on Windows.
  2. If you have wxPython installed, just run ExeFilter_GUI.py, then click the "Scan and Clean" button.
  3. Else use the command line version in a shell:
    • On Windows: simply run DEMO.bat, or type: ExeFilter.py demo_files -d demo_output
    • On Unix/Linux/MacOSX: python ExeFilter.py demo_files -d demo_output
  4. Then open each file in demo_output, and compare results.

Sample usage

How to analyze one file (scan only mode):

 

On Windows:
ExeFilter.py <source file> 
On Unix:
python ExeFilter.py <source file> 

How to analyze one file and create a sanitized version (clean mode):

On Windows:
ExeFilter.py <source file> -o <destination file>
On Unix:
python ExeFilter.py <source file> -o <destination file>

Notes:

  • It is possible to sanitize the file in place, by specifying the same path for source and destination.
  • ExeFilter returns different errorlevel values according to the result (clean, cleaned, blocked or error - see documentation), which may be used to automate its usage in a gateway.

How to analyze all files from a directory according to the default policy, clean active content and copy sanitized files to a destination directory:

On Windows:
ExeFilter.py <source path> -d <destination path>
On Unix:
python ExeFilter.py <source path> -d <destination path>

Notes:

  • Source path may be a directory, a single file, or a list of directories and files separated by spaces.
  • Destination path must be a directory.

For example, in order to analyze all files from a CDROM or a USB stick on drive D: (on Windows) and copy a sanitized version in the directory C:\import, use the following command:

ExeFilter.py D:\ -d C:\import

How to create a policy file with default options, and a HTML files describing each option:

ExeFilter.py -n policy.ini
ExeFilter.py -e default_policy.html

Then the policy.ini file may be edited using any text editor in order to modify options and filtering policy.

How to filter files using a custom policy:

ExeFilter.py <source path> -d <destination path> -p policy.ini

For more information, see the current documentation.

How to contribute

Send an e-mail to decalage(at)laposte.net if you would like to contribute to the project, send patches, bug reports, develop new filters or simply tell us you have tested the tool on a specific platform.

AttachmentSize
CanSecWest08_Lagadec_ExeFilter.pdf222.21 KB