ExeFilter is an open-source tool and python framework to filter file formats in e-mails, web pages or files. It detects many common file formats and can remove active content (scripts, macros, etc) according to a configurable policy.
Many networks are not really protected against active content which may enter up to the user workstation via e-mail, web or removable devices. Most of the common file formats such as Office documents, PDF, HTML or XML include native features which may be used to hide malicious active content or trigger XSRF and XSS attacks (see my articles about file formats security). A significant proportion of current attacks also take advantage of recent vulnerabilities discovered in various file formats to launch malicious code. The ever-increasing diversity and complexity of file formats make it hard to provide a comprehensive protection when using traditional methods such as antivirus engines and black-list filtering based on file extensions.
ExeFilter is an open-source tool and framework to improve protection against malicious active content in files. It has been designed to be either included in gateways (e-mail, web, web services, ...) or on user workstations to filter removable devices. Its unique white-list algorithm combined to a significant list of supported formats make it very effective to control which file formats are allowed to enter a secure network. It is also able to remove active content in order to receive only innocuous data.
Most of the malicious PDF files seen since 2008-2009 use native PDF features such as JavaScript or Launch actions to trigger their payload or to allow the exploitation of vulnerabilities. Since ExeFilter is able to clean PDF files by removing active content, it is effective against most of these malicious PDF files, even against zero-day exploits before they are discovered. See the following articles for more details:
ExeFilter GUI on GNU/Linux Ubuntu |
ExeFilter GUI on Mac OSX |
Cecill: open-source, GPL compatible.
ExeFilter is provided with a few sample files located in the demo_files folder.
How to analyze one file (scan only mode):
On Windows: |
ExeFilter.py <source file> |
On Unix: |
python ExeFilter.py <source file> |
How to analyze one file and create a sanitized version (clean mode):
On Windows: |
ExeFilter.py <source file> -o <destination file> |
On Unix: |
python ExeFilter.py <source file> -o <destination file> |
Notes:
How to analyze all files from a directory according to the default policy, clean active content and copy sanitized files to a destination directory:
On Windows: |
ExeFilter.py <source path> -d <destination path> |
On Unix: |
python ExeFilter.py <source path> -d <destination path> |
Notes:
For example, in order to analyze all files from a CDROM or a USB stick on drive D: (on Windows) and copy a sanitized version in the directory C:\import, use the following command:
ExeFilter.py D:\ -d C:\import |
How to create a policy file with default options, and a HTML files describing each option:
ExeFilter.py -n policy.ini ExeFilter.py -e default_policy.html |
Then the policy.ini file may be edited using any text editor in order to modify options and filtering policy.
How to filter files using a custom policy:
ExeFilter.py <source path> -d <destination path> -p policy.ini |
For more information, see the current documentation.
Send an e-mail to decalage(at)laposte.net if you would like to contribute to the project, send patches, bug reports, develop new filters or simply tell us you have tested the tool on a specific platform.
Attachment | Size |
---|---|
CanSecWest08_Lagadec_ExeFilter.pdf | 222.21 KB |
Comments
MS Office (docx, xslx, pptx)
Hi,
Does your tool provide support for MS office 2007 onwards, i.e. Open XML file formats?
Thanks!
MS Office 2007 formats (docx, xslx, pptx) are supported
Yes, Open XML formats are supported since version 1.1.4-alpha6. The documents are scanned and cleaned like zip files, allowing XML files and pictures inside (according to the configured policy). Any other binary file within the archive (e.g. macros) are stripped out.