Remove any macro in Microsoft Office documents

[pronto 6]

Servus Community,

is it possible to setup ESET to remove any macro in Office documents, whether a virus is found or not? So don't delete the office document itself, just remove the macro?

Background: Yesterday we received an email at 10:50 with an Office Word document to a mailing list and in this email was a macro with a trojan downloader. Upon receipt, ESET did not classify this email as suspicious. In the afternoon around 15:00 the virus was detected and removed by ESET in the Word document. In the four hours in between, a lot has happened to this email, including it being opened several times. Fortunately, we have configured additional policies in Microsoft Office that prevent the execution of a macro, but this only affects local PCs. But if we forward this email to a business partner who has not set such policies, he will receive a virus from us.

Before we switched to ESET, we had Trend Micro and there you could enable an option that removed any macro from the Office documents and still delivered the safe document. No one needs macros and if they do, we'll find a solution.

Can we configure ESET to do that?

 

Thx & Bye Tom

Edited January 30, 2020 by pronto

[Nightowl 202]

From Office settings you can disable Macro so they cannot be run at all.

https://support.office.com/en-us/article/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6

By doing that you can be at ease that the Macros cannot be run and also there is an option to block them and not notify you to unblock once there is a macro.

And about sending to others , scan the files before you send them to someone else , or if you run your own mail gateway there should be a scanner that does this job for you like ESET Mail Security

And also for your endpoints you can also enable the Document Protection that ESET offer , you can read about that here : https://help.eset.com/ees/7/en-US/idh_config_dmon.html

 

 

Quote

 

Document protection

The Document protection feature scans Microsoft Office documents before they are opened, as well as files downloaded automatically by Internet Explorer such as Microsoft ActiveX elements. Document protection provides a layer of protection in addition to Real-time file system protection, and can be disabled to enhance performance on systems that do not handle a high number of Microsoft Office documents.

To activate Document protection, open the Advanced setup window (press F5) > Detection engine > Malware scans > Document protection and click the Integrate into system switch.

 

 

Edited January 30, 2020 by Rami

[pronto 6]

1 minute ago, Rami said:

From Office settings you can disable Macro so they cannot be run at all.

https://support.office.com/en-us/article/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6

Servus Rami,

yes, i know that this can be disabled in office and we have enabled this policy but it only applies to the computers in our organization. But if we accidentally forward this email to an external business partner, they will receive an infected email from us as the sender. This would be negative, because I can't make sure that the business partner has secured his infrastructure as well in that deep level, and we are the sender of the virus.

Thx & Bye Tom

 

 

[Nightowl 202]

Just now, pronto said:

Servus Rami,

yes, i know that this can be disabled in office and we have enabled this policy but it only applies to the computers in our organization. But if we accidentally forward this email to an external business partner, they will receive an infected email from us as the sender. This would be negative, because I can't make sure that the business partner has secured his infrastructure as well in that deep level, and we are the sender of the virus.

Thx & Bye Tom

 

 

Hey Tom,

Have you checked the Document Protection feature in ESET ?

If I am not mistaken , it's disabled by default , you can enable it from ESET Settings , that will bring extra protection from documents.

[pronto 6]

1 minute ago, Rami said:

Have you checked the Document Protection feature in ESET ?

Servus Rami,

I'm afraid none of this would have helped, because ESET did not know about the virus at 11:00 and only at 15:00 a pattern was inserted which recognized the virus. We only noticed this because we have three exchange servers but only one of them accepts emails from outside, but the virus was only found four hours later on the two internal mail servers where the databases are running. ESET Mail Security is installed on all three servers.

Normaly only the first mail server finds viruses and spam, and the other two usually don't even notice how evil the world outside is.

Thx & Bye Tom

[Marcos 5,074]

Actually this is where ESET Dynamic Threat Defense is highly effective at. With EDTD, when an email is received and scanned by ESET for MS Exchnage for instance, the delivery can be delayed a bit until the attachment is replicated and evaluated in the EDTD cloud environment. That way even malicious documents can be detected as soon as they start to propagate via spammed emails.

Currently it is not possible to remove the macro from documents in case it is not detected. However, you can create a transport agent rule that will move all documents with active content (macro) to mail quarantine (https://help.eset.com/emsx/7.1/en-US/idh_config_mailserver_rules.html).

[Nightowl 202]

10 minutes ago, pronto said:

Servus Rami,

I'm afraid none of this would have helped, because ESET did not know about the virus at 11:00 and only at 15:00 a pattern was inserted which recognized the virus. We only noticed this because we have three exchange servers but only one of them accepts emails from outside, but the virus was only found four hours later on the two internal mail servers where the databases are running. ESET Mail Security is installed on all three servers.

Normaly only the first mail server finds viruses and spam, and the other two usually don't even notice how evil the world outside is.

Thx & Bye Tom

Argh we are talking about 0-day threats that ESET didn't detect at the first moment , I guess that answer need an ESET staff, I have never used Mail Security before and I don't know if the Machine Learning modules are in there (I believe they are in) but I don't know if it's the same settings as Endpoint or like File Security.

I believe that a sandbox will improve your situation , unknown document is sent > it's analyzed in sandbox > if it has done malicious changes > quarantine/remove > if not > pass

This is it : https://www.eset.com/int/business/dynamic-threat-defense/

[M.K. 17]

Hi Tom,

in Mail Security there is an option to define a custom rule to move all emails containing macro-enabled office documents to quarantine. You need to define an Attachment type condition and mark "Microsoft Office Macro-Enabled Document (97-2003)", "Microsoft Word Macro-Enabled (2007+) (*docm, *dotm)", etc...

Matej

[M.K. 17]

Hi,

a quick update to this older thread.

With the upcoming update of the Archive support module (v1303, currently on pre-release servers) it should be now possible to remove macros from office documents in incoming emails, even in previously released Mail security products.

If you define a custom rule with Attachment type condition, select "Office files/Generic OLE2 Compound Document", and choose Quarantine attachment (or Delete attachment) as an action, Office documents will be delivered without any macros.

Note: you can of course combine additional conditions in the rule to target it to specific groups or types of emails.

Matej

[pronto 6]

2 hours ago, M.K. said:

With the upcoming update of the Archive support module (v1303, currently on pre-release servers) it should be now possible to remove macros from office documents in incoming emails, even in previously released Mail security products.

Servus Matej,

This are interesting news. Thank you for being so careful and giving feedback after such a long time.

I don't know where I can look up in the Security Management Center what we actually use but according to the description of an article in your knowledge base I found it on my client and I would consider the German translation to be related to Archivunterstützungsmodul. It seems to be available in version 1302 and seems to be from 05.05 (Please note attached screenshot). The updates seem to come automatically.

Such an unremarkable update unlocks such a fundamental function? Probably only the object type OLE is added, which addresses the macro as an embedded object. We will test it as soon as it is available and it would be something we have sadly missed so far.

Thy a lot & Bye Tom

 

[pronto 6]

On 5/27/2020 at 1:01 PM, M.K. said:

[...] With the upcoming update of the Archive support module (v1303, currently on pre-release servers) it should be now possible to remove macros from office documents in incoming emails, even in previously released Mail security products.

If you define a custom rule with Attachment type condition, select "Office files/Generic OLE2 Compound Document", and choose Quarantine attachment (or Delete attachment) as an action, Office documents will be delivered without any macros. [...]

Servus Matej,

I could not follow your instruction step by step. I have underlined the parameters I consider necessary in your mail. However, I have not found the parameter 'Incoming email'. Here are the steps I have now set, could you please check if this is correct and if it meets our requirements?

• Create a new policy (Product: ESET Mail Security for Microsoft Exchange (V6+)
• Settings -> Server -> Rules
• Mail Transport Protection -> Edit -> Add
• Condition type -> Office Files -> Other Files -> Generic OLE2 Compound Document
• Action type: Quranatine attachment
• Apply policy in Mailserver related group (Not done yet, waiting for clearance)

Thx in advance & Bye Tom

 

[pronto 6]

On 5/27/2020 at 1:01 PM, M.K. said:

If you define a custom rule with Attachment type condition, select "Office files/Generic OLE2 Compound Document", and choose Quarantine attachment (or Delete attachment) as an action, Office documents will be delivered without any macros.

Servus Matej,

no, the rule does not work as expected. The entire attachment is still being moved to quarantine. The modules are all updated to current versions:

 

 

Edited June 24, 2020 by pronto

[itman 1,659]

1 hour ago, pronto said:

no, the rule does not work as expected. The entire attachment is still being moved to quarantine.

Do you expect Eset just to remove the macro code and leave the attachment as is? Don't know of any security solution that can do that.

[Marcos 5,074]

2 minutes ago, itman said:

Do you expect Eset just to remove the macro code and leave the attachment as is? Don't know of any security solution that can do that.

ESET Mail Security can do that. I'll leave this for M.K. to answer since he's a developer of EMSX.

[pronto 6]

26 minutes ago, itman said:

Do you expect Eset just to remove the macro code and leave the attachment as is? Don't know of any security solution that can do that.

Yes, this is what Matej announced a few posts before.

Thx & Bye Tom

Edited June 24, 2020 by pronto

[pronto 6]

22 minutes ago, Marcos said:

ESET Mail Security can do that. I'll leave this for M.K. to answer since he's a developer of EMSX.

Thank you, I appreciate that.

[pronto 6]

Servus Marcos,

I opened a support ticket. For everyone who is interested in and has access to the submitted data, the ticket number is:

CASE_00092770

Thanks for your attention & Bye

Tom

[pronto 6]

Servus Community,

we have received feedback from support. Removing macros from Office documents only works for Office documents that are newer versions or afair equal to version 2007. Under these versions, ESET cannot unzip the office document to remove the macro. The entire document is then moved to quarantine.

This is a bit of a pity, because it would be a significant increase in security, but has a high error potential. Since this feature was introduced only a few weeks ago, there is still hope that it might be adjusted.

Thx & Bye Tom