topic Re: Blocking WORD docs which contain macros in General Topics

Blocking WORD docs which contain macros

cenders — Fri, 11 Sep 2015 16:28:45 GMT

In the course of a regular day, it is not uncommon to receive regular legit word documents from people via email. However, increasingly we are getting documents pretending to be resumes, and the .doc file contains macros. Our version of Word 2013 treats these as protected documents and the macros do not auto open like the malicious user intended. However, the content of the word document tries to trick our end user into clicking the "allow content" button. Even if they do click, our firewall is blocking the attempted EXE download. However, should the next round of word documents get more clever and change the download into something without an extension (possibly renaming during the download?) then I'd like to investigate the option of preventing Word documents with Macros from coming in through the firewall.

Is that possible using a data filter?

Corbett.

Re: Blocking WORD docs which contain macros

santonic — Mon, 14 Sep 2015 07:24:30 GMT

According to PA executable files are not recognised only by extension but by file content so changing extension won't help the attacker. However i agree that blocking word docs with macros from internet could be a useful feature. I don't think there is such feature available yet. But I guess a DLP filter which triggers on typical macro functions and/or calls could work. Or some custom IPS signature maybe.

Re: Blocking WORD docs which contain macros

cenders — Mon, 14 Sep 2015 15:08:56 GMT

The macros inside these malicious word docs are password protected, so I'd have to look for a string blocking all macros, of which I don't know how to do. There is text inside each of these word docs that tries to make the user click the to disable extended security, so maybe I can scan for those words instead of looking for macros.

Re: Blocking WORD docs which contain macros

peter.schoenegger — Wed, 30 Mar 2016 13:48:10 GMT

This is kind of an older question from 2011 but the whole macro thing especially regarding CryptoLocker spreading rapidly over the EMEA region is highly relevant. Any updates if such a macro blocking/dection (aka. finding active content in MIMEs) feature will be vailable in PAN-OS 8 - Such an extension to the AV/fileblocking database would be very nice. Plenty of e-mail gateways are doing this for the e-mail vector, also from a web vector perspective controlling files entering the company in a more granular would help a lot.

...something like that for the http traffic side:

Thanks