it doesn't work via the

John · ‎08-18-2016

how to block word file with macro enabled from being sent

Raed Boshmaf · ‎08-18-2016

Hi John,

You can implement the following message filter: "you said that you want to block send as outgoing emails, in case you want to drop these emails then you can remove the first condition and the filter will take effect on all traffic; outgoing and incoming. also if you are going to implement the filter i would suggest using a quarantine("Policy"); action instead of the drop(); action at first to test the filter around and see how it behaves after that "making sure you are not having FP issues" you can change the action to drop(); the more aggressive one or you can use an action as drop-attachments-by-size(0) which should drop the attachment only and not the hole email".

iIf (sendergroup != "RELAYLIST")
{
if ( (attachment-filename == "(?i)\\.(xls|doc|ppt|xlsx|docx|pptx|docm|dotm|xlsm|xltm|xlam|pptm|potm|ppam|ppsm|sldm)$") AND (attachment-binary-contains("(?i)x-vba-macros")) OR (attachment-binary-contains("[Vv][Bb][Aa]")) AND(attachment-binary-contains("(?i)versioncompatible32") ) )
{
log-entry("MacroFilter took effect");
drop();
}
}
.

the filter should check if the sender-group is matching relaylist "outgoing emails" (or this condition can be replaced with recv-listener=="OutgoingEmails"; in case you have multiple listener for incoming/outgoing traffic) and then test the rest of the conditions. "also you can edit the filter to include more extensions in case i forgot some"

Regards

Raed

John · ‎08-19-2016

do you have the procedure via GUI?

Raed Boshmaf · ‎08-19-2016

it doesn't work via the content filters "GUI", since the condition attachment-binary-contains doesn't exist in them.

Regards

Raed

Ricardo Fuentes · ‎10-07-2016

Raed,

Is it possible to add more than 1 sender group to the filter or do I need to create a filter for each sender group?

Thank you in advance!

Ricardo

Libin Varghese · ‎10-07-2016

Ricardo,

Multiple sender groups can be checked using the AND condition.

If (sendergroup != "RELAYLIST") AND (sendergroup != "WHITELIST") AND so on

Thanks

Libin

Ricardo Fuentes · ‎10-07-2016

Thank you, Libin!

Ricardo Fuentes · ‎10-11-2016

Libin,

Sorry to bother you again but, I run into issues when recent malware blasted our ESAs and I have to change my strategy on how to monitor for malicious files. As you know from other threads, there's Locky type virus sending attachments with names like invoice_87654321.doc with a macro inside. I'm looking for a way to monitor on those files as they come, and eventually add a drop-attachment-by-filetype("doc"). Here's the filter I created but so far it is not returning anything, even when I send test messages w/attachments using the naming pattern using an external email account.

Filter_DropMaliciousAttachments_v2: if (sendergroup != "RELAYLIST")
{if (attachment-filename == "(?i)[A-Za-z]{1-9}_[0-9]{1-9}\\.doc$")
{
notify('ricardofuentes@domain.com');
}}
.

As I mentioned, right now I'm only reporting/monitoring, later after confirming that no legit items are coming in with such names, then I will drop the attachments, and send the messages to quarantine. by adding:

insert-header("X-IronPort-Quarantine","");

why is my search not returning anything or any files named filename_87656787.doc?

Ricardo Fuentes · ‎10-11-2016

I got it to work. I needed to use commas instead of dash (-). See new version:

Filter_DropMaliciousAttachments_v2: if (sendergroup != "RELAYLIST")
{if (attachment-filename == "(?i)[A-Za-z]{1,9}_[0-9]{1,9}\\.doc$")
{
notify('ricardofuentes@domain.com');
}}
.

now I can add more robust actions. :)

Libin Varghese · ‎10-12-2016

Glad to hear that.