Jump to content


Photo

Blocking .doc/.docx with Macros?

macros doc docx vba

  • Please log in to reply
140 replies to this topic

#101 MarcusW

MarcusW
  • Members
  • 6 posts

Posted 10 November 2016 - 08:52 AM

On our barracuda version 8.0.1.001 shows up as early release withe the following changelog entry:

 

Enhancement: Mail with Microsoft Office attachments that contain macros can be blocked. [BNSF-23786]

 

B)

Weird.  Hopefully I get it tomorrow or sometime soon.



#102 Aaron Sheard

Aaron Sheard
  • Members
  • 99 posts

Posted 10 November 2016 - 10:19 AM

not showing up on ours yet



#103 Darryl

Darryl
  • Members
  • 9 posts

Posted 10 November 2016 - 01:59 PM

Good news!  But not showing up here yet either.



#104 Jaybone

Jaybone
  • Members
  • 125 posts

Posted 10 November 2016 - 03:11 PM

Same.  We're on 8.0.0.007, and had 8.0.0.007 showing up as both latest GR and latest ER for many weeks.  Latest ER has changed to blank since last I checked (Tuesday?) so hopefully something will kick over soon.



#105 Darryl

Darryl
  • Members
  • 9 posts

Posted 10 November 2016 - 04:47 PM

I opened a support case, and they released the new firmware to our boxes.

 

I did one test with a Word doc.

 

Misc:

The option appears under attachment filters.  The only option is to block.

The sender gets a 554 notice.

If the sender is whitelisted, it still gets blocked.  Per-user anyway.

I am able to deliver the blocked message.

The reason in the message log is "Office Macros..."



#106 rootNWD

rootNWD
  • Members
  • 21 posts

Posted 11 November 2016 - 04:00 AM

We tested with an Excel XLS.

 

Sender will get this returned mail:

 

(reason: 554 rejected due to banned file attachment content)

<<< 554 rejected due to banned file attachment content

554 5.0.0 Service unavailable
Arrival-Date: Fri, 11 Nov 2016 16:46:04 +0800
Action: failed
Status: 5.0.0
Diagnostic-Code: SMTP; 554 rejected due to banned file attachment content
 
Barracuda will see this:
Time: 2016-11-11 16:46:04
Action: Blocked Reason: Office Macros (Heuristics.OLE2.ContainsMacros)

 

X-Barracuda-Macros-Alert: Message contains macros
X-Barracuda-BRTS-Status: 1



#107 Kristina M

Kristina M
  • Members
  • 22 posts

Posted 11 November 2016 - 10:19 AM

Was this strictly programmed for office only docs; or was there a provision for PDF docs also?



#108 Aaron Sheard

Aaron Sheard
  • Members
  • 99 posts

Posted 11 November 2016 - 10:51 AM

does not appear to block pdfs.

 

this is the new setting:

 

Block Macros (MS Office Attachments):  Yes ​No ​

When enabled, macros in Microsoft Office attachments are always blocked.Recommended: No


#109 Kristina M

Kristina M
  • Members
  • 22 posts

Posted 11 November 2016 - 11:00 AM

Barracuda,

 

This needs to be inclusive of PDF documents as well.  Is there any provision for the additional document type to be considered with the future enhancement?



#110 Darryl

Darryl
  • Members
  • 9 posts

Posted 15 November 2016 - 09:52 AM

Are we the only ones finding Email with select business partners that contain valid attachments with macros?

 

It doesn't seem like there's any way to whitelist for this.

 

So I need to choose between blocking all macros and trolling through the message log twice a day, or go back to letting everything through.



#111 Aaron Sheard

Aaron Sheard
  • Members
  • 99 posts

Posted 15 November 2016 - 09:58 AM

there should be a way to override by adding trusted domains to sender filters? that doesnt work?



#112 David Wagner

David Wagner
  • Members
  • 16 posts

Posted 17 November 2016 - 08:08 AM

and PLEASE add the option to block attachments per domain. and not just one global setting!



#113 MarcusW

MarcusW
  • Members
  • 6 posts

Posted 17 November 2016 - 08:44 AM

I called Barracuda and request the early release a couple of days ago.  I installed it yesterday and kicked it on.  So far it seems to be working well.  I wish there were more controls, but I'll take what I can get at this point.



#114 degolorg

degolorg
  • Members
  • 32 posts

Posted 30 November 2016 - 02:59 PM

Just installed this... is there no option to quarantine these messages rather than blocking them?



#115 degolorg

degolorg
  • Members
  • 32 posts

Posted 01 December 2016 - 11:09 AM

Had to disable the option.  Until we can set it to Quarantine vs Block, and disable for outgoing emails it already caused more headaches than it solved.  Hoping for an updated version soon!



#116 Chris Hogan

Chris Hogan
  • Members
  • 37 posts

Posted 06 December 2016 - 12:09 PM

I was excited to see it in the release notes but I already had to turn it off.  I NEED the option to exempt specific trusted email addresses and/or domains.  



#117 Jaybone

Jaybone
  • Members
  • 125 posts

Posted 06 December 2016 - 03:26 PM

I was excited to see it in the release notes but I already had to turn it off.  I NEED the option to exempt specific trusted email addresses and/or domains.  

 

This++

 

E.g. we have a vendor (utility company, so we kinda have to play by their rules, as they're the only game in town) who requires a monthly report be sent to them, via email, in xlsm format.  So I can't block everything, I have to at the very least allow outbound to one domain.  Heck, even just letting us apply it only to inbound mail would be at least half usable.



#118 Pete

Pete
  • Members
  • 1 posts

Posted 07 December 2016 - 11:35 AM

Count me in... we really need a way for white listed addresses/domains to bypass this check.



#119 RoadKingRick

RoadKingRick
  • Members
  • 1 posts

Posted 09 December 2016 - 02:24 PM

I can't agree more with the angst and frustrations these users are experiencing.

The primary reason I sought a third party solution, (and decided on Barracuda) was the inability of the "built in" solutions on my mail server to handle the job. I had been quite happy until this past year when we too got hit with not one but two ransomware attacks. (Maintain good backups, people!)

 

Simply blocking ALL macro enabled attachments outright is not an acceptable solution. Perhaps it would help if more programmers and developers got out there in the real world to better understand just what kinds of real life situations we are facing out here. More and more of our customers are using macro enabled documents as a regular course of doing business, and we cannot tell a customer the likes of Walmart (or any other customer for that matter) that we cannot accept their required documents because our email filtering software has an all or nothing policy.  We need to selectively allow certain attachments by sender. And, yes of COURSE I understand the risks of whitelisting a sender's domain, as an employee there could become infected and inadvertently send us malicious attachments. But whitelisting should not eliminate attachment filtering altogether, it should just be a first line of defense, and would severely curtail these types of threats.



#120 Andy

Andy
  • Members
  • 5 posts

Posted 14 December 2016 - 03:58 AM

The Problem is (in our case with MS office documents) you got two types (for example in word) *doc(x) (the default worddoc) and there is *docm (macro contained docs). Why is still possible to use macros (just my opinion) in default docs and not just in documents which are explicit meant for macros or do I just (as a non developer/script programmer) just really missed something?

 

From my point of view the question should be why do some senders never elevate their documents to the standard filetype as they should be and why does microsoft not permit the usage of macros in documenttypes where the shouldn't be anymore (MS obviously had some plan why else do I have a several filetype in office which indicates a macro). Under this aspect Barracuda could've done it better but it is not that bad, so it's not really fair just to point on your security solutions provider just because you can't take that much influence on your mailpartners like you need. This post is no offense just hint to make one step back to get a better view on the hole picture ;-)