Re: Office documents 97-2003 OLE embedded

it.infrastructure · ‎09-01-2017

Hello,

my question is about "detecting OLE embedded objects inside Office 97-2003 format".

Similar to this thread

https://supportforums.cisco.com/t5/email-security/detect-executable-file-attachment-in-container-files-ole-pdf/m-p/2995269#M14428

but, here is the office format 2007 or newer (DOCX, XLSX).

I have created filter on CISCO ESA to filter for file name endings like js, jse, vbs and so on.

But it is possible to send doc files with embedded js file throug ESA and they are not filtered.

Is it possible to detect embedded OLE inside 97-2003 office files?

Is it possible to detect DOC files with Macor inside PDF files?

And how is it possible?

We want to use filter, we are also using AMP, but we want to quarantine every mail with such an attachement.

Regards

Marc

dmccabej · ‎09-02-2017

Hello,

Starting in 10.x we added a Macro Detection condition for Content Filters, which it sounds like something you may be interested in. You can review the Releases Notes: here. AMP is also another amazing addition and will catch most malicious macro content. Unfortunately, I'm not able to comment on the filter piece missing files since I'm not sure how you currently have it setup.

Thanks!

-Dennis M.

it.infrastructure · ‎09-03-2017

Hello Dennis,

thanks for your reply.

With 10.X, we are using at the moment, it is possible for us to use Macro Detection for Office OLE and OpenXML documents.

My thread is about something similar but also different:

But we also want to detect "embedded objects" inside both Office File formats.

This "Embedded Object" (for example js or vbs script) is no Macro Content for my understanding.

Microsoft has posted about this here :

https://blogs.technet.microsoft.com/mmpc/2016/06/14/wheres-the-macro-malware-author-are-now-using-ole-embedding-to-deliver-malicious-files/

So, the macro content filter will not work here.

Also Attaachement Content filter "File is executable" or Attachement Content filter "ends with vbs, js ..." is also not detecting the object inside the OLE document.

Regards

Marc

dmccabej · ‎09-04-2017

Ah, I gotcha. Thanks for the clarification. :)

I would recommend reviewing an older discussion we have that has an extensive amount of information regarding something similar. You can find it here: Block Office documents containing macros.

You may have to dig through the discussion and come up with a message filter to best fit your needs.

Thanks!

-Dennis M.

it.infrastructure · ‎10-13-2017

Hello,

short information:

seems to work, filter for JS embedded in doc document.

JavaScript_Filter: if (attachment-filename == "(?i)\\.(doc)$")<file://.(doc)$%22)> AND

(((attachment-binary-contains("(?i)js")))) {

log-entry("$MatchedContent");

insert-header("X-js", "True");

}

Thanks also to CISCO support

Regards

Marc

IM Support OGCIO · ‎07-12-2018

Hi Everyone,

It seems that in v11, ESA is able to scan the OLE file using attachment-filename in content filter.

After upgrade from v10.0.2 to v11.0.2, some mails office attachment have been dropped by content filter because those office document containing harmful files

Filter Name: Remove_Harmful_Attachment

Conditions (All of the following must match):
attachment-filename ==
"(?i)\\.(ade|adp|bas|bat|bin|chm|cmd|com|cpl|crt|dll|drv|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mdb|mde|msc|msi|msp|mst|ovl|pcd|pif|reg|scr|sct|shb|shs|sys|url|vb|vbe|vbs|wsc|wsf|wsh|jar|docm)$"
attachment-unprotected

Actions:
drop-attachments-by-name("(?i)\\.(ade|adp|bas|bat|bin|chm|cmd|com|cpl|crt|dll|drv|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mdb|mde|ms
c|msi|msp|mst|ovl|pcd|pif|reg|scr|sct|shb|shs|sys|url|vb|vbe|vbs|wsc|wsf|wsh|jar|docm)$", " \r\n")
insert-header("X-EXE", "YES")

Please correct me if I am worry.

Thank you

Calvin FONG

Doug Maxfield · ‎07-13-2018

Instead of "dropping" the attachment, why don't you place them in a Quarantine. That way, they can be review and gives you the ability to release the emails with the attachment included.