Guillaume Chartrand 0 Posted September 11, 2018 Share Posted September 11, 2018 Hi, I search a way to fine tune the Mail security function. We have a lot of spam email with fraudulent bill in Word format. So I activate the rule "block attached office file with macro" for protection transport role. The rule is going great, but maybe too great. Good office document, emailed with validated sender is also blocked. But if I uncheck the rule, some of the fraudulent bill came and the mail security doesn't seems to clean it. We receive it in our mailbox and it's the local anti-virus who detect the virus inside the Word document. In the mail security log, the server seems to clean the file and send it, but at the end, the file isn't clean. How can I resolve that? Can we make a rule that if the sender is in a white list, don't block the office file with macro? Thanks Link to comment Share on other sites More sharing options...
Administrators Marcos 5,399 Posted September 11, 2018 Administrators Share Posted September 11, 2018 Perhaps Dynamic Threat Defense (EDTD) would be an ideal solution for you. As of EMSX v7, documents with macros can be submitted to the EDTD sandbox where the file is opened and the behavior is monitored. Besides that, the file is evaluated by Augur (ESET's machine learning system) and the result is returned to EMSX which will deal with the email accordingly. It is possible to configure EDTD to delete analyzed documents immediately after analysis or after some time. Link to comment Share on other sites More sharing options...
ESET Staff filips 44 Posted September 12, 2018 ESET Staff Share Posted September 12, 2018 (edited) Hi Guillaume, [apart from using EDTD] to disable the rule for certain users, you can update the default rule with new condition. You could add "Sender is not one of {list of whitelisted senders}" or "Sender's IP address is not one of {list of whitelisted IPs}" etc. 20 hours ago, Guillaume Chartrand said: In the mail security log, the server seems to clean the file and send it, but at the end, the file isn't clean. This shouldn't happen, but we need some diagnostic data to examine the issue - you could contact customer care for further assistance. Edited September 12, 2018 by filips Link to comment Share on other sites More sharing options...
Recommended Posts