Jump to content


Photo

Blocking .doc/.docx with Macros?

macros doc docx vba

  • Please log in to reply
140 replies to this topic

#41 Adam

Adam
  • Members
  • 1 posts

Posted 14 July 2016 - 11:09 AM

@Matthew Willson-Heller Disappointing to see that BNSF-23786 has not made it into the 8.0.0.001 (2016-06-27) release.

 

Can someone at Barracuda provide a definitive answer as to when this will be incorporate in a release? As it appears that you are not the person to do so.

 

Providing answers such as "Hopefully they will be able to get this tested and out the door soon!" is not a satisfactory response. May I remind you that this is not a free open-source product, so please provide a solid timeline as to when this will be delivered.



#42 Aaron Sheard

Aaron Sheard
  • Members
  • 99 posts

Posted 14 July 2016 - 11:16 AM

@Adam. i completely agree Adam. Word macro malware is one of the primary vectors used for ransomware attacks in the last couple of years. We want this stuff blocked. I would trade 1,000 viagra emails leaking through to block word macros. This is a very serious problem, and if any of my counterparts in the IT world asked me today what to recommend to filter email i would have to tell them that barracuda cannot block word macros. :(



#43 Tanushree Chellam

Tanushree Chellam

    Product Manager

  • Moderators
  • 23 posts
  • LocationCampbell, CA

Posted 14 July 2016 - 12:09 PM

Hi all,

 

We understand that this is an important request. The next major release following firmware 8.0, slated within this year, will have the fix for BNSF-23786, addressing macros in Office documents. The team is actively working on resolving this for the next release. 

 

Firmware 8.0 is currently available to all Email Security Gateway appliance customers as an early release, and thank you for your patience as we address this request next. Thanks also for being a valued Barracuda customer.


Tanu Chellam

Content Security & Cloud Micro-service Projects


#44 Aaron Sheard

Aaron Sheard
  • Members
  • 99 posts

Posted 14 July 2016 - 12:12 PM

i installed v8 the day it became available and there was no macro blocking feature yet. are you saying it could be anytime within the next 6 months still?



#45 Tanushree Chellam

Tanushree Chellam

    Product Manager

  • Moderators
  • 23 posts
  • LocationCampbell, CA

Posted 14 July 2016 - 12:30 PM

Hi Aaron,

 

It will be in the firmware release after 8.0. We are currently working on this feature. Yes we are looking to release this before the end of this calendar year. 


Tanu Chellam

Content Security & Cloud Micro-service Projects


#46 Aaron Sheard

Aaron Sheard
  • Members
  • 99 posts

Posted 14 July 2016 - 12:32 PM

thanks. that is going to be a long wait.

 

perhaps barracuda can provide the community with some work-arounds until the fix is in place, such as a recommended list of regex patterns to use in the attachment filtering area, and also if someone can answer this question of mine from the previous page:

 

an email just got through today and im wondering based on the scores below can i block "MIME_DOC_AUTOOPEN"

 

X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.31235
    Rule breakdown below
     pts rule name description
    ---- ---------------------- --------------------------------------------------
    0.01 DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date
    0.00 BSF_SPF_HARDFAIL Custom Rule SPF Hardfail
    2.50 MIME_DOC_AUTOOPEN Custom Rule MIME_DOC_AUTOOPEN
    0.00 BSF_SA_CLSFR_TRK1 Custom Rule BSF_SA_CLSFR_TRK1
    3.10 DATE_IN_FUTURE_06_12_2 DATE_IN_FUTURE_06_12_2

 

how can i explicitly block ANY email that triggers Custom Rule MIME_DOC_AUTOOPEN



#47 Jaybone

Jaybone
  • Members
  • 116 posts

Posted 19 July 2016 - 12:30 PM

8.0.0.002 (2016-07-18) started showing up this morning, but the release notes it links to (on-device) and on the Barracuda website (https://campus.barra...F/ReleaseNotes/) are still only inclusive of build 001.  

 

Any word whether the 002 build has this?



#48 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 19 July 2016 - 12:48 PM

if you're seeing 002 this means you got added to our beta program, we'd ask you to contact suppport to verify why/when this was.. and I don't believe it will have this feature in it yet 



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#49 rootNWD

rootNWD
  • Members
  • 21 posts

Posted 20 July 2016 - 10:18 PM

Fixed in Version 8.0 Version 8.0.0.002 Mail Processing
  • Downloading a PDF file attached to a message from the Message Log through BAC/BCS works as expected. [BNSF-25536]
  • Attachment filtering blocks correctly even if MIME type encoding is not formatted correctly. [BNSF-20598]
  • Messages received by the Barracuda Email Security Gateway which are just under the maximum message size are processed properly and are not blocked. [BNSF-25500]
  • When the From header of a message has an unusual format, the unit does not time out when attempting to deliver the message from the user's quarantine inbox. [BNSF-25254]
  • SMTP over TLS for outbound mail works as expected, the mail queues and delivers properly and the logs do not indicate errors. [BNSF-25437]
  • Outbound quarantine emails with multi-line From headers due to UTF8 are delivered as expected. [BNSF-25309]
Notifications
  • The Barracuda Email Security Gateway no longer sends out notifications that state "Encrypted email unable to be delivered" for emails that trigger encryption policies and have a blank sender. [BNSF-17895]
  • Alert email announcing that Energize Updates subscription is about to expire is now branded correctly as Barracuda Email Security Gateway. [BNSF-25615]
  • NDRs are not rejected by some mail servers, including O365, if they don't include a valid From header. [BNSF-25612]
Web Interface
  • The Configuration Updated message only shows on web interface pages as needed. [BNSF-25566]
  • Street Address and Driver's License information in emails trigger Privacy policies as expected. [BNSF-24772]
  • When specifying a filename for an attachment content filter, the pattern specified (filename= ) works when there is a space between the "= " and the filename. [BNSF-25491]
Security
  • High severity vulnerability: persistent XSS, authenticated [BNSEC-6504 / BNSF-25215, BNSEC-4551 / BNSF-22345]


#50 Aaron Sheard

Aaron Sheard
  • Members
  • 99 posts

Posted 21 July 2016 - 08:48 AM

i know its weird quoting myself but i wanted to bump this.

anyone know how to block MIME_DOC_AUTOOPEN

 

?

thanks. that is going to be a long wait.

 

perhaps barracuda can provide the community with some work-arounds until the fix is in place, such as a recommended list of regex patterns to use in the attachment filtering area, and also if someone can answer this question of mine from the previous page:

 

an email just got through today and im wondering based on the scores below can i block "MIME_DOC_AUTOOPEN"

 

X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.31235
    Rule breakdown below
     pts rule name description
    ---- ---------------------- --------------------------------------------------
    0.01 DATE_IN_FUTURE_06_12 Date: is 6 to 12 hours after Received: date
    0.00 BSF_SPF_HARDFAIL Custom Rule SPF Hardfail
    2.50 MIME_DOC_AUTOOPEN Custom Rule MIME_DOC_AUTOOPEN
    0.00 BSF_SA_CLSFR_TRK1 Custom Rule BSF_SA_CLSFR_TRK1
    3.10 DATE_IN_FUTURE_06_12_2 DATE_IN_FUTURE_06_12_2

 

how can i explicitly block ANY email that triggers Custom Rule MIME_DOC_AUTOOPEN



#51 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 21 July 2016 - 10:20 AM

We've asked product management to approve a plan of action on that rule set and hope to get back to you soon!



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#52 Aaron Sheard

Aaron Sheard
  • Members
  • 99 posts

Posted 01 August 2016 - 09:37 AM

any new developments?



#53 Aaron Sheard

Aaron Sheard
  • Members
  • 99 posts

Posted 01 August 2016 - 12:31 PM

ANOTHER example, this came through a few minutes ago.

this is ridiculous. what is the point in the barracuda appliance when this is the #1 reason we want these appliances!

if we could block MIME_DOC_AUTOOPEN it would at least block these examples.

 

 

X-Barracuda-Spam-Score: 2.50
X-Barracuda-Spam-Status: No, SCORE=2.50 using global scores of TAG_LEVEL=3.0 QUARANTINE_LEVEL=1000.0 KILL_LEVEL=5.0 tests=BSF_SA_CLSFR_TRK1, MIME_DOC_AUTOOPEN
X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.3.31671
    Rule breakdown below
     pts rule name description
    ---- ---------------------- --------------------------------------------------
    2.50 MIME_DOC_AUTOOPEN Custom Rule MIME_DOC_AUTOOPEN
    0.00 BSF_SA_CLSFR_TRK1 Custom Rule BSF_SA_CLSFR_TRK1

 
VIRUS TOTAL REPORT:
 
Antivirus Result Update Baidu VBA.Trojan-Dropper.Agent.lm 20160801 F-Secure Trojan:W97M/Nastjencro.A 20160801 Qihoo-360 virus.office.gen.75 20160801


#54 Jaybone

Jaybone
  • Members
  • 116 posts

Posted 03 August 2016 - 09:42 AM

--------------

Version 8.0.0.003
 
Mail Processing
 
Improved attachment filtering/detection. [BNSF-25491]
-----------------
 
 
Is this, by any chance, what we've been waiting for?


#55 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 03 August 2016 - 12:10 PM

Hi Jaybone,

No it is not



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#56 Aaron Sheard

Aaron Sheard
  • Members
  • 99 posts

Posted 03 August 2016 - 12:11 PM

Hi Jaybone,

No it is not

 

any word on when? this is a critical hole in the appliance. thanks!  :)



#57 Kristina M

Kristina M
  • Members
  • 22 posts

Posted 03 August 2016 - 12:58 PM

I see they are focusing on Office product based Macros; PDF based Macros/Adobe need to also be addressed.  If you have a corporate network server or utilize a group policy the Office suite can be addressed outside of the firewall but there is no easy way to address PDF based docs with a policy via Adobe. 

 

All doc types need to be considered.



#58 Aaron Sheard

Aaron Sheard
  • Members
  • 99 posts

Posted 04 August 2016 - 03:47 PM

I see they are focusing on Office product based Macros; PDF based Macros/Adobe need to also be addressed.  If you have a corporate network server or utilize a group policy the Office suite can be addressed outside of the firewall but there is no easy way to address PDF based docs with a policy via Adobe. 

 

All doc types need to be considered.

 

i looked into this, i disabled macros at a group policy level but it broke a bunch of legitimate files with macros, short of implementing a complex trusted doc scenario i really want to just block macros inbound on emails. (and yes i agree, block malicious PDF as well!)



#59 Aaron Sheard

Aaron Sheard
  • Members
  • 99 posts

Posted 19 August 2016 - 09:08 AM

any updates?



#60 Kevin

Kevin
  • Members
  • 2 posts

Posted 02 September 2016 - 09:41 AM

Any update on this topic, we are getting hammered lately. I made the suggested change to up the size of the scanned messages, but I would love to be able to block these documents from coming in.

 

has anyone just blocked .docm files with success? 

 

Thanks