Block Office documents with Macro's and notify recipient, rulebased

Questions and answers about how to do stuff
Post Reply
SupportOU
Posts: 47
Joined: 12 Sep 2016 18:47

Block Office documents with Macro's and notify recipient, rulebased

Post by SupportOU »

Hi All,

Anyone knows if it is possible to block all Office documents that contain macro's for recipients of *@domain1.com , while allowing this for users of *@domain2.com.

Do I need to block/allow this in ClamAV or MailScanner or a combination?

For now I used the /etc/MailScanner/rules/content.scanning.rules file icm with /etc/clamav.conf (OLE2BlockMacros yes). My content.scanning.rule is 'From: *@domain3.com and To: *@domain2.com no'

But this rule doesn't get fired if user@domain3.com sends a document with macro to user@domain2.com. Now all Office documents with macro's are blocked (but no zero-day cryptolockers since, so in that respect I am very very happy).

I have more rules in this very rules file and these are working.

What can I do better here?

Thanks!

Grtz,
Ronald
Gate Array
Posts: 23
Joined: 30 Aug 2017 09:36

Re: Block Office documents with Macro's and notify recipient, rulebased

Post by Gate Array »

I would have the same feature/configuration... Block all the office file with macro inside...

The problem is do it using MailScanner and not with ClamAV.


In my configuration I've setup:

1) Make a bounce reply email for "illegal attach" to the sender.

2) Do "nothing" if a virus is found

So... what I want to achieve is send back a email alert to the sender also for macro inside office file.

There is any way to do it
Gate Array
Posts: 23
Joined: 30 Aug 2017 09:36

Re: Block Office documents with Macro's and notify recipient, rulebased

Post by Gate Array »

No one...???
No ideas ????
thewomble
Posts: 50
Joined: 17 Jan 2017 12:52

Re: Block Office documents with Macro's and notify recipient, rulebased

Post by thewomble »

Take a look at https://github.com/fmbla/spamassassin-olemacro

I have not used it myself, yet, it was on my todo list.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Block Office documents with Macro's and notify recipient, rulebased

Post by pdwalker »

I use it, and there are a number of conditions that it does not detect. Embedded macros in MS Word documents is one hairball of a mess.
Gate Array
Posts: 23
Joined: 30 Aug 2017 09:36

Re: Block Office documents with Macro's and notify recipient, rulebased

Post by Gate Array »

... and what about "renaming file extension" instead off cut the entire email?

It could be possible to setup ClamAV or Mailscanner to change the extension in a macro is detect inside the files?
Gate Array
Posts: 23
Joined: 30 Aug 2017 09:36

Re: Block Office documents with Macro's and notify recipient, rulebased

Post by Gate Array »

Any idea?

sorry for the forced up, but I'm sure this is something very important for a large base of users.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Block Office documents with Macro's and notify recipient, rulebased

Post by pdwalker »

The problem is macro detection is very very weird. When I was looking into the problem earlier, I discovered that there is no "one way" to absolutely guarantee that you can detect a macro inside an office document file because of the multitude of office document formats from over the years and different ways of that office stores it.

You can detect some, but not all.

As for renaming the attachments - that's tricky. Editing an email on the fly because of something objectionable is fraught with problems, again because of all the possible ways that emails are formatted.

Newer versions of office can be configured to disable macros in their documents automatically, or at least prompt the user if they really want to run them, and that's how I have to manage it - user education.
thewomble
Posts: 50
Joined: 17 Jan 2017 12:52

Re: Block Office documents with Macro's and notify recipient, rulebased

Post by thewomble »

I agree with above user education is key. They are the best spam dectector you have got with the correct training/education.

The spammers/malware vendors will spoof/rewrite the headers so you may end up hurting your users more with legitimate macro enabled documents depending on what you do.
Post Reply