mlltech
-
Posts
3 -
Joined
-
Last visited
Posts posted by mlltech
-
-
On 10/21/2020 at 3:00 PM, Marcos said:
Please provide us with more information about the malware that goes undetected through ESET. Is it executables? Office documents? HTML files or some other kind of files? Have you considered trying out ESET Dynamic Threat Defense for automated replication of received files in ESET's cloud sandbox?
As for the other queries, I'll leave them to @filipsor @M.K. to respond.
It's an xls file, containing a macro. It seems to be detected now (trojandownloader something).
-
On 9/25/2020 at 10:14 AM, filips said:
Hi raimund,
Attachment type rules are evaluated on all files in archives - zipped document with macro will be caught by the rule (unless it's password protected).
Rules support only comparing of static strings so it is not possible to compare From: and Return-Path: headers. Not a perfect solution, but something like this should do the job:
From Header - display name contains one of [@customer1.com, @customer2.com]
Message headers do not match regular expression "\nReply-To: .*(@customer1.com|customer2.com)"Excuse me, but that's not very useful. What if the spammer/spoofer uses a different email every day? We can't simply add manually rules everyday, or add all the domains we interact with to different rules.
I've exactly the same problem as raimund. Malicious attachments undetected by ESET and many other vendors (they get detected after few days), with the from address spoofed (reply-to is another address, similar to the spoofed one).
Isn't there anything else that can be done? I've already configured rules to quarantine all emails with macros-enabled attachments, but I got one today that contains a malicious Excel in xls format, not xlsm. It's not possible to simply quarantine all emails that include a xls file
How to deal with display name spoofing, when contains right mailadress also in reply, but "name@abc.com" is different
in ESET Products for Windows Servers
Posted
Yes, we have this enabled, but more important that a file going undetected is the fact that spoofers can bypass all filters. From my original message:
"What if the spammer/spoofer uses a different email every day? We can't simply add manually rules everyday, or add all the domains we interact with to different rules."
Regards