Mail security Office file with macro

[Guillaume Chartrand 0]

Hi, I search a way to fine tune the Mail security function.

We have a lot of spam email with fraudulent bill in Word format. So I activate the rule "block attached office file with macro" for protection transport role. The rule is going great, but maybe too great. Good office document, emailed with validated sender is also blocked. But if I uncheck the rule, some of  the fraudulent bill came and the mail security doesn't seems to clean it. We receive it in our mailbox and it's the local anti-virus who detect the virus inside the Word document.

In the mail security log, the server seems to clean the file and send it, but at the end, the file isn't clean.

How can I resolve that? Can we make a rule that if the sender is in a white list, don't block the office file with macro?

 

Thanks

 

[Marcos 5,070]

Perhaps Dynamic Threat Defense (EDTD) would be an ideal solution for you. As of EMSX v7, documents with macros can be submitted to the EDTD sandbox where the file is opened and the behavior is monitored. Besides that, the file is evaluated by Augur (ESET's machine learning system) and the result is returned to EMSX which will deal with the email accordingly.

It is possible to configure EDTD to delete analyzed documents immediately after analysis or after some time.

[filips 44]

Hi Guillaume,

[apart from using EDTD]
to disable the rule for certain users, you can update the default rule with new condition. You could add "Sender is not one of {list of whitelisted senders}" or "Sender's IP address is not one of {list of whitelisted IPs}" etc.

20 hours ago, Guillaume Chartrand said:

In the mail security log, the server seems to clean the file and send it, but at the end, the file isn't clean. 

This shouldn't happen, but we need some diagnostic data to examine the issue - you could contact customer care for further assistance.

Edited September 12, 2018 by filips