So now that macro detection - Page 6

Evan M · ‎02-26-2016

Is there any way to block office document types that contain macro's in this? The most recent cryptolocker variant (Locky) contains macro's which makes it more challenging to intercept. Blocking all office document attachments entirely isn't considered to be very business friendly.

exMSW4319 · ‎06-01-2016

Matthew, all of the work by yourself, your colleagues and other members of this forum on this topic is extremely welcome; Office macro abuse continues to be a major hazard here and I'm sure at many other customer installations.

I thought we didn't have to worry about DOCX/XLSX/PPTX formats as they could not contain a macro? If an attacker tries to rename one of the macro-bearing formats to the matching "X" format, the Office program returns an error claiming "the file format or file extension is not valid". Are there cases (possibly involving the Office Compatibility pack or other versions of Office I may not have worked with) where this is not true?

XLSB can contain macros, and there are a couple of obscure macro-capable PowerPoint formats though as I've never used them in practice I can't say how effectively they might be "weaponised".

Mathew Huynh · ‎06-01-2016

Yes you are correct.

docx would become docm to have macros enabled so you can manually block docm.

But this is for those emails where macros were enabled and renamed into .docx (It will not open though due to the error that will appear).

This was just kept in the filter as per a requirement of another user i worked with and also from some security blogs (like this: https://nakedsecurity.sophos.com/2015/09/28/why-word-macro-malware-is-back-and-what-you-can-do-about-it/) stating .docx should still be wary with.

I have not been able to get a macro enabled docx to open (that i created myself), it always had that error; when creating a macro enabled docx it is required to save as .docm (atleast by design of Office from my testing).

Regards,

Matthew

Joe Van Slycke · ‎06-01-2016

We had the following filter added to our hosted appliances by Cisco support:

if ((attachment-filename ==
"(?i)\\.(xls|xlsx|xlt|xla|xltx|xlsm|xltm|xlam|xlsb|doc|dot|docx|dotx|dotm|docm|ppt|pot|pps|ppa|pptx|potx|ppsx|ppam|pptm|potm|ppsm|rtf)$") AND
((attachment-binary-contains("(?i)x-vba-macros")) OR
(((attachment-binary-contains("(?i)vba")) AND
(attachment-binary-contains("(?i)versioncompatible32"))) OR
((attachment-binary-contains("(?i)vba")) AND
(attachment-binary-contains("(?i)[Content_Types].xml"))))) {
log-entry("$MatchedContent");
insert-header("X-Macro", "True");
}

We are getting a lot of false positives. Mathew, should we ask support to update to your filter vs the current?

Thanks!

Joe

Mathew Huynh · ‎06-01-2016

Hey Joe,

Do we happen to have the logs where the false positives were occurring?

With this filter I originally made, i put in the log-entry rule so we can see which terms are matching primarily.

If we could get some review on what log-entry was added we can check the attachment type against the terms matched.

I have a feeling it's the vba + content_types.xml that may be the match since you have added a lot more formats (which I have yet to have a look into at this stage).

But i would advise you to reach the support team for the hosted system to review the tracking and filter again to try to improve it.

Unless there are a lot of legitimate macro enabled attachments from certain senders (I have seen this to be the case) so you can create a mail policy for these senders who should be allowed to send macro attachments to not have the content filter deployed (the one that does the quarantining).

Regards,

Matthew

Joe Van Slycke · ‎06-02-2016

Looking at the false positives, they are in fact all from "Custom Log Entry: vBa, vBa, [Content_Types].xml"

We will ask them to update the filter.

Thanks for the quick reply!

Joe

WHindriks · ‎06-08-2016

Thanks everyone for sharing their solutions in this thread. Please find the details of my solution below:

I have been running the following message filter on all possible macro-containing office formats:

MacroFilter: if ((attachment-filename == "(?i)\\.rtf") AND (attachment-binary-contains("(?i)vbaproject.bin"))) OR ((attachment-filename == "(?i)\\.(xls|xlt|xla|doc|dot|ppt|pot|ppa|pps|sld|xlsx|xlsm|xltx|xltm|xlsb|xlam|docx|docm|dotx|dotm|pptx|pptm|potx|potm|ppam|ppsx|ppsm|sldx|sldm)$") AND ((attachment-binary-contains("(?i)x-vba-macros")) OR (attachment-binary-contains("(?i)/vbaProject.bin")))) {
                 log-entry("$MatchedContent");
                 insert-header("X-Macro", "True");
             }

I have dropped the "versioncompatible32" as it did not consistantly appear in .docm and .xlsm files.

Due to the high level of legitimate macro enable content I have opted to simply add a header to each incoming message to warn the user of the potential dangerous content.

Text resource:

***Warning***

One or more of the following attachments $filenames contains a macro. Open these attachements only if you trust $EnvelopeFrom and are expecting this E-mail.If you have any questions, please contact: Servicedesk@xxxxx.xx .

The content filter will only trigger on E-mail received on the public interface, and will for now submit a copy of every touched E-mail to the policy quarantine so I can evaluate this filter.

Content filter:

<content_filter>
          <filter_name>MacroFilter</filter_name>
          <filter_comment></filter_comment>
          <is_AND>1</is_AND>
          <rule>
            <rule_type>Receiving_Injector_Rule</rule_type>
            <rule_data>Public</rule_data>
            <rule_extra1>==</rule_extra1>
          </rule>
          <rule>
            <rule_type>Header_Rule</rule_type>
            <rule_data>X-Macro</rule_data>
            <rule_extra1>True</rule_extra1>
            <rule_extra2>==</rule_extra2>
          </rule>
          <action>
            <action_type>Quarantine_Duplicate_Action</action_type>
            <action_data>Policy</action_data>
          </action>
          <action>
            <action_type>Add_Heading_Action</action_type>
            <action_data>Macro_Disclaimer</action_data>
          </action>
        </content_filter>

Kind regards,

Wouter Hindriks

Mathew Huynh · ‎06-08-2016

Hello Wouter,

Thank you very much for your input.

I am glad to hear that you've revised this filter further for your usage as well. I hoped to have this as just a base-line for every admin such as yourself to customize as you see fit.

And thank you for your feedback on the version32 rule I originally had.

The reason why it would not appear in docm (or the 03+ office files) from what I've tested it changed in terms of binary value and vbaProject.bin is the condition to match from all tests.

But as docm (or any new formats ending with 'm' is essentially macro enabled), I added a rule to do a blanket block on all Macros of the new formats. However your setup great to ensure end users are also educated .

Regards,

Matthew

Tim Jackson · ‎06-28-2017

So now that macro detection is built in to the ESAs, do we know what the differences are? Is it more/less effective than these solutions? I'm using one of these with success but always looking to improve detection where possible. Even if just for the separate reporting graph.

Thanks,
Tim

Block Office documents containing macros