08-18-2016 10:58 PM
how to block word file with macro enabled from being sent
08-18-2016 11:39 PM
Hi John,
You can implement the following message filter: "you said that you want to block send as outgoing emails, in case you want to drop these emails then you can remove the first condition and the filter will take effect on all traffic; outgoing and incoming. also if you are going to implement the filter i would suggest using a quarantine("Policy"); action instead of the drop(); action at first to test the filter around and see how it behaves after that "making sure you are not having FP issues" you can change the action to drop(); the more aggressive one or you can use an action as drop-attachments-by-size(0) which should drop the attachment only and not the hole email".
iIf (sendergroup != "RELAYLIST")
{
if ( (attachment-filename == "(?i)\\.(xls|doc|ppt|xlsx|docx|pptx|docm|dotm|xlsm|xltm|xlam|pptm|potm|ppam|ppsm|sldm)$") AND (attachment-binary-contains("(?i)x-vba-macros")) OR (attachment-binary-contains("[Vv][Bb][Aa]")) AND(attachment-binary-contains("(?i)versioncompatible32") ) )
{
log-entry("MacroFilter took effect");
drop();
}
}
.
the filter should check if the sender-group is matching relaylist "outgoing emails" (or this condition can be replaced with recv-listener=="OutgoingEmails"; in case you have multiple listener for incoming/outgoing traffic) and then test the rest of the conditions. "also you can edit the filter to include more extensions in case i forgot some"
Regards
Raed
08-19-2016 12:00 AM
do you have the procedure via GUI?
08-19-2016 12:29 AM
it doesn't work via the content filters "GUI", since the condition attachment-binary-contains doesn't exist in them.
Regards
Raed
10-07-2016 08:35 AM
Raed,
Is it possible to add more than 1 sender group to the filter or do I need to create a filter for each sender group?
Thank you in advance!
Ricardo
10-07-2016 09:27 AM
Ricardo,
Multiple sender groups can be checked using the AND condition.
If (sendergroup != "RELAYLIST") AND (sendergroup != "WHITELIST") AND so on
Thanks
Libin
10-07-2016 09:28 AM
Thank you, Libin!
10-11-2016 09:53 PM
Libin,
Sorry to bother you again but, I run into issues when recent malware blasted our ESAs and I have to change my strategy on how to monitor for malicious files. As you know from other threads, there's Locky type virus sending attachments with names like invoice_87654321.doc with a macro inside. I'm looking for a way to monitor on those files as they come, and eventually add a drop-attachment-by-filetype("doc"). Here's the filter I created but so far it is not returning anything, even when I send test messages w/attachments using the naming pattern using an external email account.
Filter_DropMaliciousAttachments_v2: if (sendergroup != "RELAYLIST")
{if (attachment-filename == "(?i)[A-Za-z]{1-9}_[0-9]{1-9}\\.doc$")
{
notify('ricardofuentes@domain.com');
}}
.
As I mentioned, right now I'm only reporting/monitoring, later after confirming that no legit items are coming in with such names, then I will drop the attachments, and send the messages to quarantine. by adding:
insert-header("X-IronPort-Quarantine","");
why is my search not returning anything or any files named filename_87656787.doc?
10-11-2016 10:12 PM
I got it to work. I needed to use commas instead of dash (-). See new version:
Filter_DropMaliciousAttachments_v2: if (sendergroup != "RELAYLIST")
{if (attachment-filename == "(?i)[A-Za-z]{1,9}_[0-9]{1,9}\\.doc$")
{
notify('ricardofuentes@domain.com');
}}
.
now I can add more robust actions. :)
10-12-2016 04:49 AM
Glad to hear that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide