04-10-2015 03:28 AM
Good Morning,
We are currently seeing a massive increase in malware contained in Word Document macros, these are dropping through the ESA until CASE catches up, and there are no AV signatures for these files at the time of drop.
I've analysed these files, and they often contain set phrasing, when viewed as Plain Text eg.
autoopen
createobject
InternetReadFile
wininet.dll
there's a screenshot of a plaintext snippet attached.
I've set up quarantine filters for these phrases
eg Message Body or Attachment body-contains("wininet.dll", 1) or Message Body or Attachment body-contains("InternetReadFile", 1)
but these files are not being quarantined as I'd expect - I think thyat this may be because the ESA is trying to parse the file as a DOC format instead of plain text - I've examined one of the files in a sandbox and the Macros are password protected in Word, so are likley not visible to the ESA if parsed in this way.
Is there any way to force the ESA to examine the plain text for phrases as well as the parsed DOC?
regards,
Ed
04-14-2015 09:23 AM
I'd like to know if this is possible with message filters as well.
I know it is not possible with content filters because they can't look in to attachments at such a low level (data stream basically).
08-11-2015 11:58 AM
I know this thread is old, but great question by Ed. Curious if there has been a response?
08-12-2015 01:13 AM
Hi Bryan,
The basic answer from Cisco was that the ESA can't do that, and suggested using AMP, which while now integrated with the ESA range is a hefty extra cost. To me it looks like further development in the security aspects of the ESA has pretty much halted and it's being offloaded to the AMP line.
I was hopeful that the user community had worked out a method, but no joy.
I've had to develop signatures using other tools (not Cisco)
Regards,
Ed
08-12-2015 06:47 AM
Thank you, we recently added the license for AMP. Currently configured for retrospect verdicts, but that does leave a significant gap configured that way.
We do have other countermeasures in place with regards to the Word docs and macros, but I would rather have things stopped at the edge.
Thanks for the response Ed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide