This is a presentation at the CanSecWest08 conference about ExeFilter, an open-source tool and framework to filter files and active content.

ExeFilter is an open-source tool and python framework to filter file formats in e-mails, web pages or files. It detects many common file formats and can remove active content (scripts, macros, etc) according to a configurable policy.

Many networks are not really protected against active content which may enter up to the user workstation via e-mail, web or removable devices. Most of the common file formats such as Office documents, PDF, HTML or XML include native features which may be used to hide malicious active content or trigger XSRF and XSS attacks (see my articles about file formats security). A significant proportion of current attacks also take advantage of recent vulnerabilities discovered in various file formats to launch malicious code. The ever-increasing diversity and complexity of file formats make it hard to provide a comprehensive protection when using traditional methods such as antivirus engines and black-list filtering based on file extensions.

ExeFilter is an open-source tool and framework to improve protection against malicious active content in files. It has been designed to be either included in gateways (e-mail, web, web services, ...) or on user workstations to filter removable devices. Its unique white-list algorithm combined to a significant list of supported formats make it very effective to control which file formats are allowed to enter a secure network. It is also able to remove active content in order to receive only innocuous data.

• Presentation at CanSecWest08: see attached file below.
• All CanSecWest08 presentations: http://cansecwest.com/csw08archive.html