pronto 6 Posted January 30, 2020 Posted January 30, 2020 (edited) Servus Community, is it possible to setup ESET to remove any macro in Office documents, whether a virus is found or not? So don't delete the office document itself, just remove the macro? Background: Yesterday we received an email at 10:50 with an Office Word document to a mailing list and in this email was a macro with a trojan downloader. Upon receipt, ESET did not classify this email as suspicious. In the afternoon around 15:00 the virus was detected and removed by ESET in the Word document. In the four hours in between, a lot has happened to this email, including it being opened several times. Fortunately, we have configured additional policies in Microsoft Office that prevent the execution of a macro, but this only affects local PCs. But if we forward this email to a business partner who has not set such policies, he will receive a virus from us. Before we switched to ESET, we had Trend Micro and there you could enable an option that removed any macro from the Office documents and still delivered the safe document. No one needs macros and if they do, we'll find a solution. Can we configure ESET to do that? Thx & Bye Tom Edited January 30, 2020 by pronto
Most Valued Members Nightowl 206 Posted January 30, 2020 Most Valued Members Posted January 30, 2020 (edited) From Office settings you can disable Macro so they cannot be run at all. https://support.office.com/en-us/article/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6 By doing that you can be at ease that the Macros cannot be run and also there is an option to block them and not notify you to unblock once there is a macro. And about sending to others , scan the files before you send them to someone else , or if you run your own mail gateway there should be a scanner that does this job for you like ESET Mail Security And also for your endpoints you can also enable the Document Protection that ESET offer , you can read about that here : https://help.eset.com/ees/7/en-US/idh_config_dmon.html Quote Document protection The Document protection feature scans Microsoft Office documents before they are opened, as well as files downloaded automatically by Internet Explorer such as Microsoft ActiveX elements. Document protection provides a layer of protection in addition to Real-time file system protection, and can be disabled to enhance performance on systems that do not handle a high number of Microsoft Office documents. To activate Document protection, open the Advanced setup window (press F5) > Detection engine > Malware scans > Document protection and click the Integrate into system switch. Edited January 30, 2020 by Rami
pronto 6 Posted January 30, 2020 Author Posted January 30, 2020 1 minute ago, Rami said: From Office settings you can disable Macro so they cannot be run at all. https://support.office.com/en-us/article/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6 Servus Rami, yes, i know that this can be disabled in office and we have enabled this policy but it only applies to the computers in our organization. But if we accidentally forward this email to an external business partner, they will receive an infected email from us as the sender. This would be negative, because I can't make sure that the business partner has secured his infrastructure as well in that deep level, and we are the sender of the virus. Thx & Bye Tom
Most Valued Members Nightowl 206 Posted January 30, 2020 Most Valued Members Posted January 30, 2020 Just now, pronto said: Servus Rami, yes, i know that this can be disabled in office and we have enabled this policy but it only applies to the computers in our organization. But if we accidentally forward this email to an external business partner, they will receive an infected email from us as the sender. This would be negative, because I can't make sure that the business partner has secured his infrastructure as well in that deep level, and we are the sender of the virus. Thx & Bye Tom Hey Tom, Have you checked the Document Protection feature in ESET ? If I am not mistaken , it's disabled by default , you can enable it from ESET Settings , that will bring extra protection from documents.
pronto 6 Posted January 30, 2020 Author Posted January 30, 2020 1 minute ago, Rami said: Have you checked the Document Protection feature in ESET ? Servus Rami, I'm afraid none of this would have helped, because ESET did not know about the virus at 11:00 and only at 15:00 a pattern was inserted which recognized the virus. We only noticed this because we have three exchange servers but only one of them accepts emails from outside, but the virus was only found four hours later on the two internal mail servers where the databases are running. ESET Mail Security is installed on all three servers. Normaly only the first mail server finds viruses and spam, and the other two usually don't even notice how evil the world outside is. Thx & Bye Tom
Administrators Marcos 5,466 Posted January 30, 2020 Administrators Posted January 30, 2020 Actually this is where ESET Dynamic Threat Defense is highly effective at. With EDTD, when an email is received and scanned by ESET for MS Exchnage for instance, the delivery can be delayed a bit until the attachment is replicated and evaluated in the EDTD cloud environment. That way even malicious documents can be detected as soon as they start to propagate via spammed emails. Currently it is not possible to remove the macro from documents in case it is not detected. However, you can create a transport agent rule that will move all documents with active content (macro) to mail quarantine (https://help.eset.com/emsx/7.1/en-US/idh_config_mailserver_rules.html).
Most Valued Members Nightowl 206 Posted January 30, 2020 Most Valued Members Posted January 30, 2020 10 minutes ago, pronto said: Servus Rami, I'm afraid none of this would have helped, because ESET did not know about the virus at 11:00 and only at 15:00 a pattern was inserted which recognized the virus. We only noticed this because we have three exchange servers but only one of them accepts emails from outside, but the virus was only found four hours later on the two internal mail servers where the databases are running. ESET Mail Security is installed on all three servers. Normaly only the first mail server finds viruses and spam, and the other two usually don't even notice how evil the world outside is. Thx & Bye Tom Argh we are talking about 0-day threats that ESET didn't detect at the first moment , I guess that answer need an ESET staff, I have never used Mail Security before and I don't know if the Machine Learning modules are in there (I believe they are in) but I don't know if it's the same settings as Endpoint or like File Security. I believe that a sandbox will improve your situation , unknown document is sent > it's analyzed in sandbox > if it has done malicious changes > quarantine/remove > if not > pass This is it : https://www.eset.com/int/business/dynamic-threat-defense/
ESET Staff M.K. 22 Posted January 30, 2020 ESET Staff Posted January 30, 2020 Hi Tom, in Mail Security there is an option to define a custom rule to move all emails containing macro-enabled office documents to quarantine. You need to define an Attachment type condition and mark "Microsoft Office Macro-Enabled Document (97-2003)", "Microsoft Word Macro-Enabled (2007+) (*docm, *dotm)", etc... Matej Nightowl 1
ESET Staff M.K. 22 Posted May 27, 2020 ESET Staff Posted May 27, 2020 Hi, a quick update to this older thread. With the upcoming update of the Archive support module (v1303, currently on pre-release servers) it should be now possible to remove macros from office documents in incoming emails, even in previously released Mail security products. If you define a custom rule with Attachment type condition, select "Office files/Generic OLE2 Compound Document", and choose Quarantine attachment (or Delete attachment) as an action, Office documents will be delivered without any macros. Note: you can of course combine additional conditions in the rule to target it to specific groups or types of emails. Matej Peter Randziak and Nightowl 2
pronto 6 Posted May 27, 2020 Author Posted May 27, 2020 2 hours ago, M.K. said: With the upcoming update of the Archive support module (v1303, currently on pre-release servers) it should be now possible to remove macros from office documents in incoming emails, even in previously released Mail security products. Servus Matej, This are interesting news. Thank you for being so careful and giving feedback after such a long time. I don't know where I can look up in the Security Management Center what we actually use but according to the description of an article in your knowledge base I found it on my client and I would consider the German translation to be related to Archivunterstützungsmodul. It seems to be available in version 1302 and seems to be from 05.05 (Please note attached screenshot). The updates seem to come automatically. Such an unremarkable update unlocks such a fundamental function? Probably only the object type OLE is added, which addresses the macro as an embedded object. We will test it as soon as it is available and it would be something we have sadly missed so far. Thy a lot & Bye Tom
pronto 6 Posted June 22, 2020 Author Posted June 22, 2020 On 5/27/2020 at 1:01 PM, M.K. said: [...] With the upcoming update of the Archive support module (v1303, currently on pre-release servers) it should be now possible to remove macros from office documents in incoming emails, even in previously released Mail security products. If you define a custom rule with Attachment type condition, select "Office files/Generic OLE2 Compound Document", and choose Quarantine attachment (or Delete attachment) as an action, Office documents will be delivered without any macros. [...] Servus Matej, I could not follow your instruction step by step. I have underlined the parameters I consider necessary in your mail. However, I have not found the parameter 'Incoming email'. Here are the steps I have now set, could you please check if this is correct and if it meets our requirements? Create a new policy (Product: ESET Mail Security for Microsoft Exchange (V6+) Settings -> Server -> Rules Mail Transport Protection -> Edit -> Add Condition type -> Office Files -> Other Files -> Generic OLE2 Compound Document Action type: Quranatine attachment Apply policy in Mailserver related group (Not done yet, waiting for clearance) Thx in advance & Bye Tom
pronto 6 Posted June 24, 2020 Author Posted June 24, 2020 (edited) On 5/27/2020 at 1:01 PM, M.K. said: If you define a custom rule with Attachment type condition, select "Office files/Generic OLE2 Compound Document", and choose Quarantine attachment (or Delete attachment) as an action, Office documents will be delivered without any macros. Servus Matej, no, the rule does not work as expected. The entire attachment is still being moved to quarantine. The modules are all updated to current versions: Edited June 24, 2020 by pronto
itman 1,807 Posted June 24, 2020 Posted June 24, 2020 1 hour ago, pronto said: no, the rule does not work as expected. The entire attachment is still being moved to quarantine. Do you expect Eset just to remove the macro code and leave the attachment as is? Don't know of any security solution that can do that.
Administrators Marcos 5,466 Posted June 24, 2020 Administrators Posted June 24, 2020 2 minutes ago, itman said: Do you expect Eset just to remove the macro code and leave the attachment as is? Don't know of any security solution that can do that. ESET Mail Security can do that. I'll leave this for M.K. to answer since he's a developer of EMSX.
pronto 6 Posted June 24, 2020 Author Posted June 24, 2020 (edited) 26 minutes ago, itman said: Do you expect Eset just to remove the macro code and leave the attachment as is? Don't know of any security solution that can do that. Yes, this is what Matej announced a few posts before. Thx & Bye Tom Edited June 24, 2020 by pronto
pronto 6 Posted June 24, 2020 Author Posted June 24, 2020 22 minutes ago, Marcos said: ESET Mail Security can do that. I'll leave this for M.K. to answer since he's a developer of EMSX. Thank you, I appreciate that.
pronto 6 Posted June 25, 2020 Author Posted June 25, 2020 Servus Marcos, I opened a support ticket. For everyone who is interested in and has access to the submitted data, the ticket number is: CASE_00092770 Thanks for your attention & Bye Tom
pronto 6 Posted July 1, 2020 Author Posted July 1, 2020 Servus Community, we have received feedback from support. Removing macros from Office documents only works for Office documents that are newer versions or afair equal to version 2007. Under these versions, ESET cannot unzip the office document to remove the macro. The entire document is then moved to quarantine. This is a bit of a pity, because it would be a significant increase in security, but has a high error potential. Since this feature was introduced only a few weeks ago, there is still hope that it might be adjusted. Thx & Bye Tom
Recommended Posts