Jump to content


Photo

Blocking .doc/.docx with Macros?

macros doc docx vba

  • Please log in to reply
140 replies to this topic

#1 Jeff Hammett

Jeff Hammett
  • Members
  • 11 posts

Posted 02 October 2015 - 10:15 AM

Does the Barracuda Spam and Virus Firewall v400 have the ability to block Word documents (.doc and .docx) only if they contain macros/VBA script? And allow them through if they do not?

 

I have been seeing an increase in malicious Word documents with macros getting through the spam filter lately. Some have been .docm which I have blocked that entire filetype as none of my users have legitimate needs for it.

 

But now we are seeing .doc and .docx with Macros.



#2 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 02 October 2015 - 10:41 AM

Hi Jeff,

 

If you're actively blocking "vbs" or "vba" etc in your attachment filters list then this should take care of any detected type scripts in the files.

 

If they have been getting through, please contact support so we may review!



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#3 Chris Mundell

Chris Mundell
  • Members
  • 4 posts

Posted 02 October 2015 - 10:42 AM

+1 on this!

 

I have seen an increase in this as well. I have seen several .DOC files come in infected this way lately. Also, the local scanners on the machines missed the last one too in testing too. I really hate depending on end uses to NOT click on something. 

 

Edit--- I have added the Vbs and Vba extensions into the attachment filter, will monitor.

 

Chris



#4 Jeff Hammett

Jeff Hammett
  • Members
  • 11 posts

Posted 02 October 2015 - 10:59 AM

Hi Jeff,

 

If you're actively blocking "vbs" or "vba" etc in your attachment filters list then this should take care of any detected type scripts in the files.

 

If they have been getting through, please contact support so we may review!

Can you clarify a bit more please? Do I need to add ".vbs" and ".vba" to the Attachment Filename Filters and block them? If so will this work even if the files are .doc?

 

I don't have a VBS or VBA option under Attachment File Type Filters. I am blocking "Executables - Windows Executables" and "Executables - Windows Scripts" but that does not block the .doc files with macros.



#5 Jeff Hammett

Jeff Hammett
  • Members
  • 11 posts

Posted 02 October 2015 - 11:03 AM

Can you clarify a bit more please? Do I need to add ".vbs" and ".vba" to the Attachment Filename Filters and block them? If so will this work even if the files are .doc?

 

I don't have a VBS or VBA option under Attachment File Type Filters. I am blocking "Executables - Windows Executables" and "Executables - Windows Scripts" but that does not block the .doc files with macros.

 

I just tested adding .VBS and .VBA to the Attachment Filename Filters as blocked and the .doc with macro still got through.



#6 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 02 October 2015 - 11:21 AM

Please review the helpfile for specifics on this

 

If you use .vbs it would block files using .vbs which is pretty straight forward

 

If you use just vbs it would run a file type on the files attached and block if it is determined to match a vbs script

 

if these get through otherwise, do contact support so we may review. 



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#7 Jeff Hammett

Jeff Hammett
  • Members
  • 11 posts

Posted 02 October 2015 - 11:29 AM

Please review the helpfile for specifics on this

 

If you use .vbs it would block files using .vbs which is pretty straight forward

 

If you use just vbs it would run a file type on the files attached and block if it is determined to match a vbs script

 

if these get through otherwise, do contact support so we may review. 

Thanks, I reviewed the help file but I am still unsure of how this will act.

 

Do i want to be using "vbs" or "*vbs*"?

 

My understanding based on the help file is that if I do "*vbs*" and a file were to include the string "vbs" in the content it would be blocked, even if it were not a VB Script file. Obviously this could be problematic.

 

The help file does not specfifically mention the pattern "vbs", but if this would block email with VB Script inside of attachments it is what I am looking for. 



#8 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 02 October 2015 - 11:31 AM

just vbs

 

helpfile uses xls as an example, but can be interchanged for any other type etc 



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#9 Jeff Hammett

Jeff Hammett
  • Members
  • 11 posts

Posted 02 October 2015 - 11:35 AM

just vbs

 

helpfile uses xls as an example, but can be interchanged for any other type etc 

Where is the helpfile you are referring to? When I click Help on the Attachment Filters page I don't get anything explaining what you are describing, the only mention for xls is referring to the Attachment File Type Filters section and does not appear to be on point with what we are discussing here.



#10 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 02 October 2015 - 11:36 AM

That is exactly what I am referring to.. as my previous post states "helpfile uses xls as an example, but can be interchanged for any other type etc " such as vbs etc 



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#11 Jeff Hammett

Jeff Hammett
  • Members
  • 11 posts

Posted 02 October 2015 - 11:52 AM

That is exactly what I am referring to.. as my previous post states "helpfile uses xls as an example, but can be interchanged for any other type etc " such as vbs etc 

So in the helpfile when it is discussing xls under the heading "Attachment File Type Filters" it is not only referring to the "Attachment File Type Filters" section and also refers to the "Attachment Filename Filters" section?



#12 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 02 October 2015 - 11:55 AM

We'd recommend you utilize both sections as they tackle all various vectors that can be used in terms of file types 



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#13 Jeff Hammett

Jeff Hammett
  • Members
  • 11 posts

Posted 02 October 2015 - 12:32 PM

We'd recommend you utilize both sections as they tackle all various vectors that can be used in terms of file types 

 

Thanks again for your help, but can you clarify how the Attachment File Type Filters filters pertains to my question about wanting to block .doc files with VB script, but not block all .doc files?

 

Under Attachment File Type Filters I have the following listed:

 

Multimedia - Audio/Video Files

Documents - MS-Access

Documents - MS-Excel

Documents - MS-Word

Documents - MS-Powerpoint

Documents - Adobe PDF

Executables - Windows Executables

Executables - Windows Scripts

 

I have both Executable options set to block and the .doc file with VB script is still getting through. Am I missing something regarding how the Attachment File Type Filters  and Attachment Filename Filters relate to each other and apply to this specific case?



#14 Kristina M

Kristina M
  • Members
  • 22 posts

Posted 02 October 2015 - 12:38 PM

https://community.ba...ntaining-macro/

 

 

I also encountered this and posted an inquiry back in July; received no feedback regarding the concern.  VBS scripts as an attachment type have been blocked since we've had our filter and that capability isn't blocking the macros in the new file types.

 

I don't think the attachment type filters are looking at the docs appropriately.  I am also interested in whatever resolution Barracuda publishes regarding this.



#15 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 02 October 2015 - 12:46 PM

After reviewing with engineering, it appears we have a project in the works to improve our accuracy on macro based documents that is targeted for a 8.x firmware relase

 

  1. the reqeust # is BNSF-23786 that should be in release notes when completed


Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#16 Kristina M

Kristina M
  • Members
  • 22 posts

Posted 02 October 2015 - 12:49 PM

Thank you!

What is the ETA for 8.x to arrive?



#17 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 02 October 2015 - 12:52 PM

2016



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#18 Ryan

Ryan
  • Members
  • 2 posts

Posted 06 October 2015 - 12:41 PM

 

After reviewing with engineering, it appears we have a project in the works to improve our accuracy on macro based documents that is targeted for a 8.x firmware relase

 

  1. the reqeust # is BNSF-23786 that should be in release notes when completed

 

 

 

On my firewall all of these messages were being Allowed due to Message Size.  They were all just over 256KB which is the default value.  I increase my value to 500KB and then marked them as SPAM.  The Score of these now marks them as spam and blocks them.



#19 ASI

ASI
  • Members
  • 1 posts

Posted 01 December 2015 - 11:09 AM

Ryan Staats, on 06 Oct 2015 - 11:41 AM, said:

On my firewall all of these messages were being Allowed due to Message Size.  They were all just over 256KB which is the default value.  I increase my value to 500KB and then marked them as SPAM.  The Score of these now marks them as spam and blocks them.

 

This! 

I increased the value to 20MB to match my maximum incoming and it drastically cut down if not eliminated the zero hour doc macros coming through ever since.   256kb does not cut it.  Tech explained you can get increased latency times with higher values, but my latency has remained <10 sec since making the change.  Just wanted to tack onto this post because Ryan's suggestion is ultimately what helped my stop more of these macro docs.



#20 opjose

opjose
  • Members
  • 255 posts
  • LocationWashington D.C. Area

Posted 10 December 2015 - 01:25 PM

+10 on this topic.

 

It's unfortunate that this is being pushed back to 2016, as the holiday period is seeing an increased amount of VBS imbedded DOC, DOCX, XLS, XLSX, macros that attempt to pull down viruse/worms and other threats.

 

Increase the size threshold helps a bit, but we still see three or more attachments with malicious VBS scripts getting through the anti-spam filter.

 

The Barracuda Anti-virus in the anti-spam filter is not catching these messages.

 

All it takes is ONE message to wreak havoc on a business network.