Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5805
Views
0
Helpful
1
Replies

Inspect PDF documents for embedded Office macro-files

Go to solution
paul.fritzsche1
Level 1
Level 1

‎05-19-2017 05:26 AM

Hey guys,

last week us hit jaff ransomware. Some users got suspicious mails and opended the attached .pdf file, allow execution in Adobe Reader and MS Office started and loaded macro code. This code had downloaded some more files from the web and executed them on the local machine to encrypte C: and attached drives (yes, we have low security settings).

The ESA supports features to inspect office files for macro-code (with message filters), its described in user guide, https://supportforums.cisco.com/discussion/12925121/block-office-documents-containing-macros and serveral forums.

Is it possible to scan .pdf files in the same/similar way, to detect attached Office files (maybe with Office macros) in mailflow (on ESA) and take some actions on it? Inspection of .pdf files like this is basically possible.

For this threat see https://blogs.cisco.com/security/talos/jaff-ransomware-player-2-has-entered-the-game.

Thanks and best regards, Paul.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sriram Subramanian
Cisco Employee
Cisco Employee

‎05-19-2017 05:49 AM

Hello,

You can now configure a content filter in ASyncOS 10.0.1 to detect macro detection for PDF and Office Documents. You can find more information on how to configure in the user guide:

http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa10-0/ESA_10-0-1_User_Guide.pdf (page 206)

To scan and detect macro files, it would be recommended to install AMP feature for ESA which includes File Reputation and File Analysis for protection against malicious files including Macro detection.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Sriram Subramanian
Cisco Employee
Cisco Employee

‎05-19-2017 05:49 AM

Hello,

You can now configure a content filter in ASyncOS 10.0.1 to detect macro detection for PDF and Office Documents. You can find more information on how to configure in the user guide:

http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa10-0/ESA_10-0-1_User_Guide.pdf (page 206)

To scan and detect macro files, it would be recommended to install AMP feature for ESA which includes File Reputation and File Analysis for protection against malicious files including Macro detection.

0 Helpful
Customers Also Viewed These Support Documents