Page 1 of 1

Block Office documents with Macro's and notify recipient, rulebased

Posted: 09 Feb 2017 21:44
by SupportOU
Hi All,

Anyone knows if it is possible to block all Office documents that contain macro's for recipients of *@domain1.com , while allowing this for users of *@domain2.com.

Do I need to block/allow this in ClamAV or MailScanner or a combination?

For now I used the /etc/MailScanner/rules/content.scanning.rules file icm with /etc/clamav.conf (OLE2BlockMacros yes). My content.scanning.rule is 'From: *@domain3.com and To: *@domain2.com no'

But this rule doesn't get fired if user@domain3.com sends a document with macro to user@domain2.com. Now all Office documents with macro's are blocked (but no zero-day cryptolockers since, so in that respect I am very very happy).

I have more rules in this very rules file and these are working.

What can I do better here?

Thanks!

Grtz,
Ronald

Re: Block Office documents with Macro's and notify recipient, rulebased

Posted: 14 Apr 2018 11:06
by Gate Array
I would have the same feature/configuration... Block all the office file with macro inside...

The problem is do it using MailScanner and not with ClamAV.


In my configuration I've setup:

1) Make a bounce reply email for "illegal attach" to the sender.

2) Do "nothing" if a virus is found

So... what I want to achieve is send back a email alert to the sender also for macro inside office file.

There is any way to do it

Re: Block Office documents with Macro's and notify recipient, rulebased

Posted: 28 Apr 2018 09:03
by Gate Array
No one...???
No ideas ????

Re: Block Office documents with Macro's and notify recipient, rulebased

Posted: 17 May 2018 18:39
by thewomble
Take a look at https://github.com/fmbla/spamassassin-olemacro

I have not used it myself, yet, it was on my todo list.

Re: Block Office documents with Macro's and notify recipient, rulebased

Posted: 21 May 2018 06:24
by pdwalker
I use it, and there are a number of conditions that it does not detect. Embedded macros in MS Word documents is one hairball of a mess.

Re: Block Office documents with Macro's and notify recipient, rulebased

Posted: 11 Aug 2018 21:49
by Gate Array
... and what about "renaming file extension" instead off cut the entire email?

It could be possible to setup ClamAV or Mailscanner to change the extension in a macro is detect inside the files?

Re: Block Office documents with Macro's and notify recipient, rulebased

Posted: 24 Oct 2018 14:53
by Gate Array
Any idea?

sorry for the forced up, but I'm sure this is something very important for a large base of users.

Re: Block Office documents with Macro's and notify recipient, rulebased

Posted: 25 Oct 2018 03:18
by pdwalker
The problem is macro detection is very very weird. When I was looking into the problem earlier, I discovered that there is no "one way" to absolutely guarantee that you can detect a macro inside an office document file because of the multitude of office document formats from over the years and different ways of that office stores it.

You can detect some, but not all.

As for renaming the attachments - that's tricky. Editing an email on the fly because of something objectionable is fraught with problems, again because of all the possible ways that emails are formatted.

Newer versions of office can be configured to disable macros in their documents automatically, or at least prompt the user if they really want to run them, and that's how I have to manage it - user education.

Re: Block Office documents with Macro's and notify recipient, rulebased

Posted: 26 Oct 2018 11:54
by thewomble
I agree with above user education is key. They are the best spam dectector you have got with the correct training/education.

The spammers/malware vendors will spoof/rewrite the headers so you may end up hurting your users more with legitimate macro enabled documents depending on what you do.