Heads Up :
The post you are writing will appear in a public forum. Please ensure all content is appropriate for public consumption. Review the employee guidelines for the community here.
Hello,
i have the following scenario:
i have multiple CISCO Catalyst switches (2960-X).
Switches are connected with trunks, we have multiple VLANs configured.
Additional switch (core) Layer3 is configured for routing between VLANs and security ...
Hello,
somebody already filtering successfully Word documents with DDE inside?
Some background information:
https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/
https://blog.cloudmark.com/2017/10/10/newly-disclosed-vulnerability-i...
Hello, my question is about "detecting OLE embedded objects inside Office 97-2003 format".Similar to this threadhttps://supportforums.cisco.com/t5/email-security/detect-executable-file-attachment-in-container-files-ole-pdf/m-p/2995269#M14428but, here...
Hello,
thank you for your reply.
If we use the vacl, will this be used by the underlaying switches, which are connected (trunks) to the core switch?
Or only, if traffic flows through the core switch.
So, for my example, if Host 2 and Host 3 are ...
Hello,
one example from ESA, received yesterday (spoofed mail):
DOCX Document
Analysis of SHA256 from Sandbox :
https://www.hybrid-analysis.com/sample/31b8c756f789cd865060085b48e8c7c20ee1612eb897e3c044564dfd669894b8?environmentId=100
ESA is sho...
Hello @Aliki,
seems to be tricky
Anybody from CISCO following/reviewing this thread?
Filter for DDE(AUTO) would be more than helpful.
In meantime we got information from different sources that this kind of documents are used to spread locky r...
Hello,
i have tested Mail filter at cli with attachement-contains (like second post) but did not find something inside DOCX.
I have tested content filter (GUI) with attachement-contains, also no luck
anybody found a working solution?
Cisco TAC ...
Hello,
short information:
seems to work, filter for JS embedded in doc document.
JavaScript_Filter: if (attachment-filename == "(?i)\\.(doc)$")<file://.(doc)$%22)> AND
(((attachment-binary-contains("(?i)js")))) {
log-entry("$M...
