09-01-2017 11:49 PM - last edited on 03-25-2019 04:54 PM by ciscomoderator
Hello,
my question is about "detecting OLE embedded objects inside Office 97-2003 format".
Similar to this thread
but, here is the office format 2007 or newer (DOCX, XLSX).
I have created filter on CISCO ESA to filter for file name endings like js, jse, vbs and so on.
But it is possible to send doc files with embedded js file throug ESA and they are not filtered.
Is it possible to detect embedded OLE inside 97-2003 office files?
Is it possible to detect DOC files with Macor inside PDF files?
And how is it possible?
We want to use filter, we are also using AMP, but we want to quarantine every mail with such an attachement.
Regards
Marc
09-02-2017 03:07 PM - edited 09-04-2017 06:42 PM
Hello,
Starting in 10.x we added a Macro Detection condition for Content Filters, which it sounds like something you may be interested in. You can review the Releases Notes: here. AMP is also another amazing addition and will catch most malicious macro content. Unfortunately, I'm not able to comment on the filter piece missing files since I'm not sure how you currently have it setup.
Thanks!
-Dennis M.
09-03-2017 11:02 PM
Hello Dennis,
thanks for your reply.
With 10.X, we are using at the moment, it is possible for us to use Macro Detection for Office OLE and OpenXML documents.
My thread is about something similar but also different:
But we also want to detect "embedded objects" inside both Office File formats.
This "Embedded Object" (for example js or vbs script) is no Macro Content for my understanding.
Microsoft has posted about this here :
So, the macro content filter will not work here.
Also Attaachement Content filter "File is executable" or Attachement Content filter "ends with vbs, js ..." is also not detecting the object inside the OLE document.
Regards
Marc
09-04-2017 06:40 PM
Ah, I gotcha. Thanks for the clarification. :)
I would recommend reviewing an older discussion we have that has an extensive amount of information regarding something similar. You can find it here: Block Office documents containing macros.
You may have to dig through the discussion and come up with a message filter to best fit your needs.
Thanks!
-Dennis M.
10-13-2017 11:21 PM
Hello,
short information:
seems to work, filter for JS embedded in doc document.
JavaScript_Filter: if (attachment-filename == "(?i)\\.(doc)$")<file://.(doc)$%22)> AND
(((attachment-binary-contains("(?i)js")))) {
log-entry("$MatchedContent");
insert-header("X-js", "True");
}
Thanks also to CISCO support
Regards
Marc
07-12-2018 09:30 PM
Hi Everyone,
It seems that in v11, ESA is able to scan the OLE file using attachment-filename in content filter.
After upgrade from v10.0.2 to v11.0.2, some mails office attachment have been dropped by content filter because those office document containing harmful files
Filter Name: Remove_Harmful_Attachment
Conditions (All of the following must match):
attachment-filename ==
"(?i)\\.(ade|adp|bas|bat|bin|chm|cmd|com|cpl|crt|dll|drv|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mdb|mde|msc|msi|msp|mst|ovl|pcd|pif|reg|scr|sct|shb|shs|sys|url|vb|vbe|vbs|wsc|wsf|wsh|jar|docm)$"
attachment-unprotected
Actions:
drop-attachments-by-name("(?i)\\.(ade|adp|bas|bat|bin|chm|cmd|com|cpl|crt|dll|drv|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mdb|mde|ms
c|msi|msp|mst|ovl|pcd|pif|reg|scr|sct|shb|shs|sys|url|vb|vbe|vbs|wsc|wsf|wsh|jar|docm)$", " \r\n")
insert-header("X-EXE", "YES")
Please correct me if I am worry.
Thank you
Calvin FONG
07-13-2018 01:05 PM
Instead of "dropping" the attachment, why don't you place them in a Quarantine. That way, they can be review and gives you the ability to release the emails with the attachment included.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide