search cancel

How to block Macro and Javascript downloaders using Mail Security for Microsoft Exchange 7.5.4 and earlier

book

Article ID: 163118

calendar_today

Updated On:

Products

Mail Security for Microsoft Exchange

Issue/Introduction

Multiple instances of Macro and Javascript downloaders contained in .zip and .doc files are passing through the Symantec Mail Security for Microsoft Exchange (SMSMSE) filter without being detected as malicious.

Cause

These downloaders are constantly changing, meaning that by the time a virus definition is written to stop them, a new variant has been released.

For more details on many of these attacks seen in the wild, see:

For more information on a comprehensive defense, please read the Connect article Support Perspective: W97M.Downloader Battle Plan

 

Resolution

If Macros are not needed during normal business operations, consider blocking Macros from the internet entirely using a Group Policy Object. This article from Microsoft contains details on how to enable a GPO to block internet based Macros. If the Macro cannot execute, the end user cannot become infected, regardless of whether the original document was detected as malicious by AntiVirus solutions.

Enable Advanced heuristics detection. This technology has been effective at blocking many of these Downloaders:

Symantec has observed three vectors for downloaders coming through email: Javascript embedded in zip files, Macros embedded in Microsoft Word documents, and Macros embedded in MHT files that are renamed to *.doc. Symantec Mail Security for Microsoft Exchange can block all 3 of these vectors using the File name rule:

Warning:  Many legitimate PDF files contain embedded Javascript, these settings are ultimately a policy decision to be taken by the management of an individual IT organization. If Javascript is allowed inside containers, this is a potential threat vector. Symantec highly recommends blocking Javascript inside containers in email as a matter of security policy given the current threat landscape. If the chance of blocking legitimate PDF files is unacceptable to the organization, do not add *.js to the match list.

1.  Go to Policies -> Match Lists, Create a new matchlist, and name it “Block Javascript and Word Macros” with the following settings:

2.       Go to Policies -> File Filtering Rules and enable the File name rule and associate it with the Block Javascript and Word Macros matchlist we created in step 1 and choose an action, it is recommend to Quarantine these files so that any legitimate messages can be released.

Make sure “Bypass scanning of container file(s)" is not checked, as this will defeat the purpose of the rule.

It is highly recommended to set this rule to “Quarantine” so that any legitimate documents caught by this rule can be released to the end user if necessary, but the malicious content contained in these file types is not allowed through to the end user.

Attachments