Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1320
Views
0
Helpful
4
Replies

Increased malware in DOC macros

ed.sherratt
Level 1
Level 1

‎04-10-2015 03:28 AM

Good Morning,

 

We are currently seeing a massive increase in malware contained in Word Document macros, these are dropping through the ESA until CASE catches up, and there are no AV signatures for these files at the time of drop.

I've analysed these files, and they often contain set phrasing, when viewed as Plain Text eg.
autoopen
createobject
InternetReadFile
wininet.dll

there's a screenshot of a plaintext snippet attached.

I've set up quarantine filters for these phrases

eg  Message Body or Attachment  body-contains("wininet.dll", 1)  or Message Body or Attachment  body-contains("InternetReadFile", 1)  

but these files are not being quarantined as I'd expect - I think thyat this may be because the ESA is trying to parse the file as a DOC format instead of plain text - I've examined one of the files in a sandbox and the Macros are password protected in Word, so are likley not visible to the ESA if parsed in this way.

Is there any way to force the ESA to examine the plain text for phrases as well as the parsed DOC?

regards,
Ed

4 people had this problem
Labels:
Preview file
38 KB
0 Helpful
4 Replies 4

neb-ITOps
Level 1
Level 1

‎04-14-2015 09:23 AM

I'd like to know if this is possible with message filters as well.

I know it is not possible with content filters because they can't look in to attachments at such a low level (data stream basically).

0 Helpful

Bryan Phillips
Level 1
Level 1

‎08-11-2015 11:58 AM

I know this thread is old, but great question by Ed.  Curious if there has been a response?

0 Helpful

ed.sherratt
Level 1
Level 1
In response to Bryan Phillips

‎08-12-2015 01:13 AM

Hi Bryan,

The basic answer from Cisco was that the ESA can't do that, and suggested using AMP, which while now integrated with the ESA range is a hefty extra cost. To me it looks like further development in the security aspects of the ESA has pretty much halted and it's being offloaded to the AMP line.

I was hopeful that the user community had worked out a method, but no joy.

I've had to develop signatures using other tools (not Cisco)

Regards,

Ed

0 Helpful

Bryan Phillips
Level 1
Level 1
In response to ed.sherratt

‎08-12-2015 06:47 AM

Thank you, we recently added the license for AMP.  Currently configured for retrospect verdicts, but that does leave a significant gap configured that way.

We do have other countermeasures in place with regards to the Word docs and macros, but I would rather have things stopped at the edge.

 

Thanks for the response Ed.

0 Helpful
Customers Also Viewed These Support Documents