Jump to content


Photo

Blocking Macros in Office documents, clamav,

macros office clamav

  • Please log in to reply
8 replies to this topic

#1 Toby Simmons

Toby Simmons
  • Members
  • 5 posts

Posted 20 June 2016 - 12:25 PM

Since you already use ClamAV, can't you just expose the OLE2BlockMacros setting which does just that, block all Office documents with macros embedded?

 

I see that there have been requests for blocking Office documents with macros for nearly a year; Is there something that can be done quickly to make this an option?

 

Thanks &

Cheers,

 

Toby



#2 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 20 June 2016 - 01:02 PM

We're actually looking to implement that on an upcoming release, stay tuned!



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#3 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 20 June 2016 - 01:03 PM

 

A temp work around is to use Attachment Filters for *.vba & *.vbs with Archive enabled, to name a couple.1

xlsx and docx are considered Archives and having vba/vbs macros will trigger the Action specified.



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#4 Jaybone

Jaybone
  • Members
  • 125 posts

Posted 21 June 2016 - 09:51 AM

 

A temp work around is to use Attachment Filters for *.vba & *.vbs with Archive enabled, to name a couple.1

xlsx and docx are considered Archives and having vba/vbs macros will trigger the Action specified.

 

 

No.  This does not work.  That's been suggested here multiple times, and as far as I've seen it has worked for nobody, and does not work for us.



#5 Gary Adams

Gary Adams
  • Members
  • 2 posts

Posted 29 June 2016 - 03:41 PM

Also, we need to stop these macros or .js attachments even if the sender is on the whitelist.  If I say that I never want a .js attachment, that's what I mean.  It is terrible that a sender being on the whitelist is able to send cryptomalware .js files right past barracuda, because the whitelist superseeds the attachment rules.  Yes, I know you have virus scanning on everything, but when barracuda bypasses attachment rules, bad stuff gets in.  "Well, then don't put the senders on the whitelist" is not the right answer.  I never, ever, want a .js attachment.  It is pathetic that I can't enforce that rule always, globally, no exceptions, with barracuda.



#6 Aaron Sheard

Aaron Sheard
  • Members
  • 99 posts

Posted 19 September 2016 - 01:52 PM

We're actually looking to implement that on an upcoming release, stay tuned!

we've been staying tuned for a while now. any update from barracuda on when we can expect firmware that can block macro enabled word docs

 

https://community.ba...h-macros/page-4



#7 David Wagner

David Wagner
  • Members
  • 16 posts

Posted 22 September 2016 - 03:33 AM

and it would be great, if this would be possible on a domain level configuration and not global!



#8 Aaron Sheard

Aaron Sheard
  • Members
  • 99 posts

Posted 03 October 2016 - 11:39 AM

another firmware update over the wewkend and STILL vba macros are making it to the endpoint.

 

Detection time(UTC time): 10/3/2016 1:21:54 PM Malware file path: containerfile:_C:\Users\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\LJO7HF34\Receipt 88142-148251.doc;file:_C:\Users\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\LJO7HF34\Receipt 88142-148251.doc->word/vbaProject.bin

 

when can we expect this to be fixed??



#9 Nicholas Palmer

Nicholas Palmer
  • Members
  • 20 posts

Posted 06 October 2016 - 10:32 AM

Can I add my support to Gary Adams voice; there at least ought to be a global option to enable attachment filtering *even for whitelisted users*.  In general, I am only whitelisting at all because of false positives regarding the sender/address.  That *doesn't* mean that I trust everything that an external sender sends, merely that I don't want them to be blocked from sending all mail to us.  I still want to virus scan it, and I would still like to be able to scan for macros and so forth.