Blocking WORD docs which contain macros

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Blocking WORD docs which contain macros

L3 Networker

In the course of a regular day, it is not uncommon to receive regular legit word documents from people via email.  However, increasingly we are getting documents pretending to be resumes, and the .doc file contains macros.  Our version of Word 2013 treats these as protected documents and the macros do not auto open like the malicious user intended. However, the content of the word document tries to trick our end user into clicking the "allow content" button.  Even if they do click, our firewall is blocking the attempted EXE download.  However, should the next round of word documents get more clever and change the download into something without an extension (possibly renaming during the download?) then I'd like to investigate the option of preventing Word documents with Macros from coming in through the firewall.


Is that possible using a data filter?




L6 Presenter

According to PA executable files are not recognised only by extension but by file content so changing extension won't help the attacker. However i agree that blocking word docs with macros from internet could be a useful feature. I don't think there is such feature available yet. But I guess a DLP filter which triggers on typical macro functions and/or calls could work. Or some custom IPS signature maybe.



The macros inside these malicious word docs are password protected, so I'd have to look for a string blocking all macros, of which I don't know how to do.  There is text inside each of these word docs that tries to make the user click the to disable extended security, so maybe I can scan for those words instead of looking for macros.

This is kind of an older question from 2011 but the whole macro thing especially regarding CryptoLocker spreading rapidly over the EMEA region is highly relevant. Any updates if such a macro blocking/dection (aka. finding active content in MIMEs) feature will be vailable in PAN-OS 8 - Such an extension to the AV/fileblocking database would be very nice. Plenty of e-mail gateways are doing this for the e-mail vector, also from a web vector perspective controlling files entering the company in a more granular would help a lot.


...something like that for the http traffic side:





  • 3 replies
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!