search cancel

How to block Macro and Javascript downloaders using Mail Security for Microsoft Exchange (SMSMSE) 7.5.5 and later

book

Article ID: 164018

calendar_today

Updated On:

Products

Mail Security for Microsoft Exchange

Issue/Introduction

Multiple instances of Macro and Javascript downloaders contained in .zip and .doc files are passing through the SMSMSE filter without being detected as malicious.

Cause

These downloaders are constantly changing, meaning that by the time a virus definition is written to stop them, a new variant has been released.

Resolution

For Symantec Mail Security for Microsoft Exchange (SMSMSE) version 7.5.4 and earlier please see the following article:

 

For more details on many of these attacks seen in the wild, see:


For more information on a comprehensive defense, please read the Connect article Support Perspective: W97M.Downloader Battle Plan


 

If Macros are not needed during normal business operations, consider blocking Macros from the internet entirely using a Group Policy Object. This article from Microsoft contains details on how to enable a GPO to block internet based Macros. If the Macro cannot execute, the end user cannot become infected, regardless of whether the original document was detected as malicious by AntiVirus solutions.

Enable Advanced heuristics detection. This technology has been effective at blocking many of these Downloaders:

 

Symantec has observed three vectors for downloaders coming through email: Javascript embedded in zip files, Macros embedded in Microsoft Word documents, and Macros embedded in MHT files that are renamed to *.doc. Symantec Mail Security for Microsoft Exchange can block all 3 of these vectors using a content filtering rule.

Warning:  Many legitimate PDF files contain embedded Javascript, these settings are ultimately a policy decision to be taken by the management of an individual IT organization. If Javascript is allowed inside containers, this is a potential threat vector. Symantec highly recommends blocking Javascript inside containers in email as a matter of security policy given the current threat landscape. With SMSMSE 7.5.5 and later, container specific exemptions and sender specific exemptions can be applied to the rule. See details below.

    1.  Go to Policies -> Match Lists, Create a new match list, and name it “Block Downloader Trojans” with the following settings:

      Create a second match list and name it "File Name Rule Block Word Macros" with the following settings:
    2. Go to Policies -> File Filtering Rules click the File Name Rule, and select "Enabled" from the drop down.
    3. Next to Match list for prohibited file names, click Select... and select the "File Name Rule Block Word Macros" match list.
    4. Go to Policies -> Content Filtering Rules and create a new rule with the following settings. Click "MatchList" and select the Block Downloader Trojans matchlist. Apply the rule only to "Inbound messages" to avoid triggering against internal mail.

      Make sure “Bypass scanning of container file(s)" is not checked, as this will defeat the purpose of the rule.
       
    5. If desired, enter any container based exceptions to the rule individually or using a match list within the Unless category.  Note:  For the purposes of content filtering PDF files are not treated as container files.  To treat PDF files as containers you must utilize the File Name Rule option instead.

 

  1. If desired, enter a user exception under the Users tab. The example setting below shows how to whitelist a user with the email address "[email protected]". Enter one user per line, or *@example.com to whitelist the entire "example.com" domain.

     
  2. Choose an action under the "Actions" tab. It is highly recommended to set this rule to “Quarantine” (the default action for new content filtering rules) so that any legitimate documents caught by this rule can be released to the end user if necessary, but the malicious content contained in these file types is not allowed through to the end user.
  3. Navigate to Policies -> File Type Filtering Rules  and select New rule... configure the rule with the following settings:

    With these settings configured, SMSMSE will block Macro-Enabled Office 2007 and later documents by true file type. Sender exemptions can be set using the "Users" tab, similar to the example in step 4.

Attachments