Multiple instances of Macro and Javascript downloaders contained in .zip and .doc files are passing through the SMSMSE filter without being detected as malicious.
These downloaders are constantly changing, meaning that by the time a virus definition is written to stop them, a new variant has been released.
For Symantec Mail Security for Microsoft Exchange (SMSMSE) version 7.5.4 and earlier please see the following article:
For more details on many of these attacks seen in the wild, see:
For more information on a comprehensive defense, please read the Connect article Support Perspective: W97M.Downloader Battle Plan
If Macros are not needed during normal business operations, consider blocking Macros from the internet entirely using a Group Policy Object. This article from Microsoft contains details on how to enable a GPO to block internet based Macros. If the Macro cannot execute, the end user cannot become infected, regardless of whether the original document was detected as malicious by AntiVirus solutions.
Enable Advanced heuristics detection. This technology has been effective at blocking many of these Downloaders:
Symantec has observed three vectors for downloaders coming through email: Javascript embedded in zip files, Macros embedded in Microsoft Word documents, and Macros embedded in MHT files that are renamed to *.doc. Symantec Mail Security for Microsoft Exchange can block all 3 of these vectors using a content filtering rule.
Warning: Many legitimate PDF files contain embedded Javascript, these settings are ultimately a policy decision to be taken by the management of an individual IT organization. If Javascript is allowed inside containers, this is a potential threat vector. Symantec highly recommends blocking Javascript inside containers in email as a matter of security policy given the current threat landscape. With SMSMSE 7.5.5 and later, container specific exemptions and sender specific exemptions can be applied to the rule. See details below.