Jump to content


Photo

Blocking .doc/.docx with Macros?

macros doc docx vba

  • Please log in to reply
140 replies to this topic

#21 Scott Mooi

Scott Mooi
  • Members
  • 4 posts

Posted 15 December 2015 - 01:51 PM

I totally agree with opjose....these attachments are our largest attack vector right now.  Thankfully our desktop AV is catching them....so far.



#22 Aaron Sheard

Aaron Sheard
  • Members
  • 99 posts

Posted 02 May 2016 - 09:20 AM

any word on when 8 will be released? we are half way through Q2 of 2016 now

macro file droppers are the biggest vector for ransomware right now i want to strip all macros out on inbound email



#23 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 02 May 2016 - 09:44 AM

We are hoping version 8 will be early summer as we are currently testing it right now!



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#24 Aaron Sheard

Aaron Sheard
  • Members
  • 99 posts

Posted 02 May 2016 - 01:30 PM

thanks. is early summer june? or is it july? if you need a beta tester ill kick the tires!



#25 Toby Simmons

Toby Simmons
  • Members
  • 5 posts

Posted 20 June 2016 - 12:21 PM

We are now mid-June. Any new ETA information?



#26 Mike Zanczewski

Mike Zanczewski
  • Members
  • 6 posts

Posted 29 June 2016 - 02:10 PM

Hi,

Where are you changing the min message size value?  Mine are getting through based off of message size, so I would like to change this setting as well.



#27 Jeff Hammett

Jeff Hammett
  • Members
  • 11 posts

Posted 29 June 2016 - 08:31 PM

Hi,

Where are you changing the min message size value?  Mine are getting through based off of message size, so I would like to change this setting as well.

Click Advanced and then add &expert=1 to the end of the URL and you'll get an Expert Settings tab.

 

I increased mine to 356000 bytes and have seen a drop in malicious word docs getting through, but a few still do. I was told by Barracuda support to not increase it to more than 400kb for performance reasons. I am going to be slowly increasing mine and monitoring performance to try to block as much more as I can.



#28 Aaron Sheard

Aaron Sheard
  • Members
  • 99 posts

Posted 04 July 2016 - 01:58 PM

We are hoping version 8 will be early summer as we are currently testing it right now!

 

we are into Q3 now. when will 8 be available even as a beta??



#29 IT Support

IT Support
  • Members
  • 1 posts

Posted 05 July 2016 - 03:39 PM

My company has been having problems with getting .Doc files with macros builtin recently that are making their way through the Barracuda

 

I called Barracuda Support about this.  They told me that the feature to block macros in Office documents was going to be in version 8, which they gave me access to pretty quickly so I could download/upgrade the Spam Firewall 

 

After upgrading, I still didn't see any new features about blocking macros in attachments...  So I called them again.  I was now told that this feature just doesn't exist in their firmware, and that I would have to create a special Attachment Content Filter instead to block exactly what I want to block.

 

I believe I finally got a content filter that works for our purposes:

[.]*VBA[.]*Project[.]*AutoOpen[.]*OLE[.]*/i

 

This will catch any Office documents that contain a macro with an "AutoOpen" subroutine builtin

 

So far in testing it seems to be working.

 

I'm very disappointed with Barracuda Support.  The fact that they can't simply add a feature to block all attachments with macros, when their backend software is based on software that already has this ability (Spam Assassin) is pathetic.



#30 Jeff Hammett

Jeff Hammett
  • Members
  • 11 posts

Posted 05 July 2016 - 09:12 PM

My company has been having problems with getting .Doc files with macros builtin recently that are making their way through the Barracuda

 

I called Barracuda Support about this.  They told me that the feature to block macros in Office documents was going to be in version 8, which they gave me access to pretty quickly so I could download/upgrade the Spam Firewall 

 

After upgrading, I still didn't see any new features about blocking macros in attachments...  So I called them again.  I was now told that this feature just doesn't exist in their firmware, and that I would have to create a special Attachment Content Filter instead to block exactly what I want to block.

 

I believe I finally got a content filter that works for our purposes:

[.]*VBA[.]*Project[.]*AutoOpen[.]*OLE[.]*/i

 

This will catch any Office documents that contain a macro with an "AutoOpen" subroutine builtin

 

So far in testing it seems to be working.

 

I'm very disappointed with Barracuda Support.  The fact that they can't simply add a feature to block all attachments with macros, when their backend software is based on software that already has this ability (Spam Assassin) is pathetic.

 

Thanks, I just enabled this. We'll see how it goes. I don't think I've had anything blocked by this filter yet. What is listed as the reason when an email is blocked due to this filter? I want to keep an eye on it and see if it's getting anything.



#31 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 06 July 2016 - 11:10 AM

Version 8 firmware is going to 25% Beta this week, and we expect to raise it more soon!



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#32 Jaybone

Jaybone
  • Members
  • 116 posts

Posted 06 July 2016 - 11:22 AM

 

I believe I finally got a content filter that works for our purposes:

[.]*VBA[.]*Project[.]*AutoOpen[.]*OLE[.]*/i

 

This will catch any Office documents that contain a macro with an "AutoOpen" subroutine builtin

 

So far in testing it seems to be working.

 

Thanks, we'll try this, as well.



#33 Jeff Hammett

Jeff Hammett
  • Members
  • 11 posts

Posted 06 July 2016 - 09:38 PM

My company has been having problems with getting .Doc files with macros builtin recently that are making their way through the Barracuda

 

I called Barracuda Support about this.  They told me that the feature to block macros in Office documents was going to be in version 8, which they gave me access to pretty quickly so I could download/upgrade the Spam Firewall 

 

After upgrading, I still didn't see any new features about blocking macros in attachments...  So I called them again.  I was now told that this feature just doesn't exist in their firmware, and that I would have to create a special Attachment Content Filter instead to block exactly what I want to block.

 

I believe I finally got a content filter that works for our purposes:

[.]*VBA[.]*Project[.]*AutoOpen[.]*OLE[.]*/i

 

This will catch any Office documents that contain a macro with an "AutoOpen" subroutine builtin

 

So far in testing it seems to be working.

 

I'm very disappointed with Barracuda Support.  The fact that they can't simply add a feature to block all attachments with macros, when their backend software is based on software that already has this ability (Spam Assassin) is pathetic.

 

I put this filter in place last night and am still getting emails containing word documents with auto open macros coming through. I won't really have time to dig in until next week, but could share a sample if you would like to look at it to improve the filter.



#34 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 07 July 2016 - 10:23 AM

Hello all,

We thank you for your feedback and support has ensured Product management is aware of the severity of this problem and that we get this in the next release ASAP.

 

Support cannot add functionality, but simply work with customers and product managers to get our products improved and we do feel your pain



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#35 Jaybone

Jaybone
  • Members
  • 116 posts

Posted 07 July 2016 - 01:13 PM

Thanks, we'll try this, as well.

 

No hits yet,but a spearphish attempt came through today (addressed directly the mail admin, LOL).  Haven't picked it apart yet, but the VT analysis is showing a macro using Public Sub UserForm_Initialize() - might be another way to have something auto-execute to get around an AutoOpen block?

 

Also - forum doesn't allow links to VT pages???

 

Hash is ef8fa4170e279c8ac2b607ce2e41209fce97c362aaa3d03ef4ae73e4a9046d0a if anyone wants to check it out.



#36 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 07 July 2016 - 01:14 PM

Due to on going spam campaign attempts on this forum, we do not allow external URL links here 



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#37 Aaron Sheard

Aaron Sheard
  • Members
  • 99 posts

Posted 09 July 2016 - 12:32 PM

i see v8 is finally released! ive installed and updated to 8.0.0.001

can someone tell me now how to enable blocking if inbound word docs with macros embedded? this was to be a new feature in 8 better malicious macro detection.


8.0.0.001 (2016-06-27) 



#38 Aaron Sheard

Aaron Sheard
  • Members
  • 99 posts

Posted 09 July 2016 - 12:36 PM

No hits yet,but a spearphish attempt came through today (addressed directly the mail admin, LOL).  Haven't picked it apart yet, but the VT analysis is showing a macro using Public Sub UserForm_Initialize() - might be another way to have something auto-execute to get around an AutoOpen block?

 

Also - forum doesn't allow links to VT pages???

 

Hash is ef8fa4170e279c8ac2b607ce2e41209fce97c362aaa3d03ef4ae73e4a9046d0a if anyone wants to check it out.

 

can someone help with an attachment content filter string that would block these? im not very good at regex



#39 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 11 July 2016 - 10:56 AM

Version 8.0 doesn't have the macro blocking feature currently. But we've stressed to product management to get this in to the next 8.x release as the top priority. Hopefully they will be able to get this tested and out the door soon!



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#40 Aaron Sheard

Aaron Sheard
  • Members
  • 99 posts

Posted 13 July 2016 - 12:10 PM

an email just got through today and im wondering based on the scores below can i block "MIME_DOC_AUTOOPEN"

 

X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.31235
    Rule breakdown below
     pts rule name description
    ---- ---------------------- --------------------------------------------------
    0.01 DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date
    0.00 BSF_SPF_HARDFAIL Custom Rule SPF Hardfail
    2.50 MIME_DOC_AUTOOPEN Custom Rule MIME_DOC_AUTOOPEN
    0.00 BSF_SA_CLSFR_TRK1 Custom Rule BSF_SA_CLSFR_TRK1
    3.10 DATE_IN_FUTURE_06_12_2 DATE_IN_FUTURE_06_12_2

 

how can i explicitly block ANY email that triggers Custom Rule MIME_DOC_AUTOOPEN