cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
863
Views
0
Helpful
9
Replies
Beginner

how to block word file with macro enabled f

how to block word file with macro enabled from being sent

9 REPLIES 9
Cisco Employee

Hi John,

Hi John,

You can implement the following message filter: "you said that you want to block send as outgoing emails, in case you want to drop these emails then you can remove the first condition and the filter will take effect on all traffic; outgoing and incoming. also if you are going to implement the filter i would suggest using a  quarantine("Policy"); action instead of the drop(); action at first to test the filter around and see how it behaves after that "making sure you are not having FP issues" you can change the action to drop(); the more aggressive one or you can use an action as drop-attachments-by-size(0) which should drop the attachment only and not the hole email".

iIf (sendergroup != "RELAYLIST")
{
if ( (attachment-filename == "(?i)\\.(xls|doc|ppt|xlsx|docx|pptx|docm|dotm|xlsm|xltm|xlam|pptm|potm|ppam|ppsm|sldm)$") AND (attachment-binary-contains("(?i)x-vba-macros")) OR (attachment-binary-contains("[Vv][Bb][Aa]")) AND(attachment-binary-contains("(?i)versioncompatible32") ) )
{
log-entry("MacroFilter took effect");
drop();
}
}
.

the filter should check if the sender-group is matching relaylist "outgoing emails" (or this condition can be replaced with recv-listener=="OutgoingEmails"; in case you have multiple listener for incoming/outgoing traffic) and then test the rest of the conditions. "also you can edit the filter to include more extensions in case i forgot some" 

Regards

Raed

Beginner

do you have the procedure via

do you have the procedure via GUI?

Highlighted
Cisco Employee

it doesn't work via the

it doesn't work via the content filters "GUI", since the condition attachment-binary-contains doesn't exist in them.

Regards

Raed 

Raed,

Raed,

Is it possible to add more than 1 sender group to the filter or do I need to create a filter for each sender group? 

Thank you in advance!

Ricardo

Cisco Employee

Ricardo,

Ricardo,

Multiple sender groups can be checked using the AND condition.

If (sendergroup != "RELAYLIST") AND (sendergroup != "WHITELIST") AND so on

Thanks

Libin

Thank you, Libin! 

Thank you, Libin! 

Libin,

Libin,

Sorry to bother you again but, I run into issues when recent malware blasted our ESAs and I have to change my strategy on how to monitor for malicious files. As you know from other threads, there's Locky type virus sending attachments with names like invoice_87654321.doc with a macro inside. I'm looking for a way to monitor on those files as they come, and eventually add a drop-attachment-by-filetype("doc"). Here's the filter I created but so far it is not returning anything, even when I send test messages w/attachments using the naming pattern using an external email account. 

Filter_DropMaliciousAttachments_v2: if (sendergroup != "RELAYLIST")
{if (attachment-filename == "(?i)[A-Za-z]{1-9}_[0-9]{1-9}\\.doc$")
{
notify('ricardofuentes@domain.com');
}}
.

As I mentioned, right now I'm only reporting/monitoring, later after confirming that no legit items are coming in with such names, then I will drop the attachments, and send the messages to quarantine. by adding: 

insert-header("X-IronPort-Quarantine","");

why is my search not returning anything or any files named filename_87656787.doc?

I got it to work. I needed to

I got it to work. I needed to use commas instead of dash (-). See new version:

Filter_DropMaliciousAttachments_v2: if (sendergroup != "RELAYLIST")
{if (attachment-filename == "(?i)[A-Za-z]{1,9}_[0-9]{1,9}\\.doc$")
{
notify('ricardofuentes@domain.com');
}}
.

now I can add more robust actions. :) 

Cisco Employee

Glad to hear that.

Glad to hear that.