Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1475
Views
0
Helpful
5
Replies

Only allow signed macro documents

Frederik De Muyter
Level 1
Level 1

‎10-18-2019 05:16 AM

Hi,

 

Is there a way to block all files containing macro's but allow the files that are digitally signed by my internal Root CA?

A content filter that check the certificate.

 

Kind regards,

 

Frederil.

 

Labels:
0 Helpful
5 Replies 5

marc.luescherFRE
Spotlight
Spotlight

‎10-21-2019 04:44 AM

Hi Frederik,

 

how would those attachments be signed.

If they would SMIME signed a message filter can easily be built to allow this.

 

Please ellaborate.

 

-Marc

0 Helpful

ppreenja
Cisco Employee
Cisco Employee

‎10-21-2019 07:06 AM - edited ‎10-21-2019 07:13 AM

Hello Frederik,

Please check on the below article which might be helpful and may be able to answer your query:

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/214695-how-to-verify-messages-received-with-s-m.html

Cheers,
Pratham

0 Helpful

Ken Stieers
VIP
VIP
In response to ppreenja

‎10-21-2019 08:01 AM

He's not looking for S/MIME

He's looking at attachments and looking at those that have macros and wanting to see if those macros are signed...



https://support.office.com/en-us/article/digitally-sign-your-macro-project-956e9cc8-bbf6-4365-8bfa-98505ecd1c01


0 Helpful

Frederik De Muyter
Level 1
Level 1
In response to Ken Stieers

‎10-21-2019 02:30 PM

Correct I am looking for checking if the document itself is signed not the mail content.

 

0 Helpful

marc.luescherFRE
Spotlight
Spotlight
In response to Frederik De Muyter

‎10-25-2019 01:20 AM

Hi Frederik,

 

sorry it took some time to investigate. Short answer Microsoft does not provide a programtical way to display or validate the signature of a signed workbook or macro.

 

Long answer. There there would be the option to detect all such potential file attachmens types via serach for the proper mime extensions like

 

function get_mimetype($filepath) {
if(!preg_match('/\.[^\/\\\\]+$/',$filepath)) {
return finfo_file(finfo_open(FILEINFO_MIME_TYPE), $filepath);
}
switch(strtolower(preg_replace('/^.*\./','',$filepath))) {
// START MS Office 2007 Docs
case 'docx':
return 'application/vnd.openxmlformats-officedocument.wordprocessingml.document';
case 'docm':
return 'application/vnd.ms-word.document.macroEnabled.12';
case 'dotx':
return 'application/vnd.openxmlformats-officedocument.wordprocessingml.template';
case 'dotm':
return 'application/vnd.ms-word.template.macroEnabled.12';
case 'xlsx':
return 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet';
case 'xlsm':
return 'application/vnd.ms-excel.sheet.macroEnabled.12';
case 'xltx':
return 'application/vnd.openxmlformats-officedocument.spreadsheetml.template';
case 'xltm':
return 'application/vnd.ms-excel.template.macroEnabled.12';
case 'xlsb':
return 'application/vnd.ms-excel.sheet.binary.macroEnabled.12';
case 'xlam':
return 'application/vnd.ms-excel.addin.macroEnabled.12';
case 'pptx':
return 'application/vnd.openxmlformats-officedocument.presentationml.presentation';
case 'pptm':
return 'application/vnd.ms-powerpoint.presentation.macroEnabled.12';
case 'ppsx':
return 'application/vnd.openxmlformats-officedocument.presentationml.slideshow';
case 'ppsm':
return 'application/vnd.ms-powerpoint.slideshow.macroEnabled.12';
case 'potx':
return 'application/vnd.openxmlformats-officedocument.presentationml.template';
case 'potm':
return 'application/vnd.ms-powerpoint.template.macroEnabled.12';
case 'ppam':
return 'application/vnd.ms-powerpoint.addin.macroEnabled.12';
case 'sldx':
return 'application/vnd.openxmlformats-officedocument.presentationml.slide';
case 'sldm':
return 'application/vnd.ms-powerpoint.slide.macroEnabled.12';
case 'one':
return 'application/msonenote';
case 'onetoc2':
return 'application/msonenote';
case 'onetmp':
return 'application/msonenote';
case 'onepkg':
return 'application/msonenote';
case 'thmx':
return 'application/vnd.ms-officetheme';
//END MS Office 2007 Docs

 

to give you some. The problem is according to this link https://docs.microsoft.com/en-us/office/troubleshoot/excel/digital-signatures-code-signing the way digital signing was implemented removes the signature from the macros the signature is applied to and only leaves the public key behind.

 

While parsing the remaining macro with https://github.com/unixfreak0037/officeparser I have not found any way to check for the signatures public key in the macro container vbaProject.bin.

 

So even with a lot of scripting this is not possible, not in the ESA and not in any other tool unless MS changes the design and exposes this possibility.

 

-Marc

0 Helpful
Customers Also Viewed These Support Documents