Multiple instances of Macro and Javascript downloaders contained in .zip and .doc files are being scanned by SPE and not being detected as malicious.
These downloaders are constantly changing, meaning that by the time a virus definition is written to stop them, a new variant has been released.
For more details on many of these attacks seen in the wild, see:
Locky ransomware on aggressive hunt for victims
Dridex: Financial Trojan aggressively spread in millions of spam emails each day
Dridex: Tidal waves of spam pushing dangerous financial Trojan
Ransomware: How to stay safe
Ransomware: A Growing Menace
For more information on a comprehensive defense, please read the Connect article Support Perspective: W97M.Downloader Battle Plan
If Macros are not needed during normal business operations, consider blocking Macros from the internet entirely using a Group Policy Object. This article from Microsoft contains details on how to enable a GPO to block internet based Macros. If the Macro cannot execute, the end user cannot become infected, regardless of whether the original document was detected as malicious by AntiVirus solutions.
Symantec has observed three vectors for downloaders: Javascript embedded in zip files, Macros embedded in Microsoft Word documents, and Macros embedded in MHT files that are renamed to *.doc. SPE can block all 3 of these vectors using the Deny File Names feature.
Warning: Many legitimate user files contain embedded files with the extension we have included on the below lists. For example, many PDF files contain embedded Javascript. Using this list as-is may cause a significant number of unwanted detections. These settings are ultimately a policy decision to be taken by the management of an individual IT organization. Consider excluding any extension that you know will cause unacceptable file blocks.
From Local Administrator Console
Go to Policies -> Filtering -> Files. Enable the Blocking by File Name feature by checking the box "Block files with the following names (one eper line)".
Populate the Blocking by File Name box with the following entries:
*.js
*.mso
*.bas
*.cls
*.lnk
*.wsf
*.hta
*vbaProject
*vbaProject*
vbaProject*
*VBA_PROJECT*
*VBA_PROJECT
VBA_PROJECT*
VBA_PROJECT
From the Commandline
/opt/SYMCScan/bin
on Linux and C:\Program Files\Symantec\Scan Engine
in Windows. Create a text file and populate it with:*.js
*.mso
*.bas
*.cls
*.lnk
*.wsf
*.hta
*vbaProject
*vbaProject*
vbaProject*
*VBA_PROJECT*
*VBA_PROJECT
VBA_PROJECT*
VBA_PROJECT
xmlmodifier -s //filtering/FileAttribute/FileNamesEnabled/@value true filtering.xml
xmlmodifier -b //filtering/FileAttribute/DenyFileNames/items list.txt filtering.xml
xmlmodifier -s //filtering/FileAttribute/DeleteFileNames/@value <true|false> filtering.xml
Please note that Symantec Protection Engine 8.2 now supports active content filtering. See the following link Documentation .