topic Re: Blocking macro-enabled Office files (docm, xlsm, etc) in General Topics

Blocking macro-enabled Office files (docm, xlsm, etc)

gleduc — Thu, 11 Aug 2016 23:57:48 GMT

The available file types that can be filtered doesn't include Office documents with macros (docm, xlsm, etc). These are being used now to sneak garbage into the network. Is there a way to ID them or are they on the horizon for inclusion in the file blocking filters? An innovative way that is being used is to create an xlsm file with a malicious macro in it and then replace the xlsm extension with csv. User thinks it's just rows of text and clicks on it, Windows feeds it to Excel, and Excel opens it and runs the macro.

Gene

Re: Blocking macro-enabled Office files (docm, xlsm, etc)

reaper — Thu, 07 Jul 2022 07:23:53 GMT

Hi Gene

In fileblocking the firewall is not able to differentiate doc files with or without macros as they are basically the same file type, it will be able to identify doc files 'disguised' as CSV as it looks deeper into the file than merely the extention . You could block doc files altogether, which may be a bit over the top.

Vulnerability protection has an ID for Office files containing Macros as BPry mentions

Re: Blocking macro-enabled Office files (docm, xlsm, etc)

Raido_Rattameister — Fri, 12 Aug 2016 14:40:03 GMT

Block macros with GPO.

https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/

Re: Blocking macro-enabled Office files (docm, xlsm, etc)

BPry — Fri, 12 Aug 2016 17:15:39 GMT

You can also block id 39154 which is Microsoft Office File with Macros. Please note that this isn't a perfect signature by far, but it does manage to take care of a good percentage of files before they hit our Barracudas

Re: Blocking macro-enabled Office files (docm, xlsm, etc)

steveo — Tue, 16 Aug 2016 20:54:57 GMT

Or Subscribe to Wildfire, it does a pretty bang up job with handling them!

Good luck!

-sO