How to block Macro and Javascript downloaders using Protection Engine (SPE) 7.9 and later

book

Article ID: 196881

calendar_today

Updated On:

Products

Protection Engine for Cloud Services Protection Engine for NAS

Issue/Introduction

Multiple instances of Macro and Javascript downloaders contained in .zip and .doc files are being scanned by SPE and not being detected as malicious.

Cause

These downloaders are constantly changing, meaning that by the time a virus definition is written to stop them, a new variant has been released.

Resolution

For more details on many of these attacks seen in the wild, see:

Locky ransomware on aggressive hunt for victims
Dridex: Financial Trojan aggressively spread in millions of spam emails each day
Dridex: Tidal waves of spam pushing dangerous financial Trojan
Ransomware: How to stay safe
Ransomware: A Growing Menace

Workarounds:

For more information on a comprehensive defense, please read the Connect article Support Perspective: W97M.Downloader Battle Plan

If Macros are not needed during normal business operations, consider blocking Macros from the internet entirely using a Group Policy Object. This article from Microsoft contains details on how to enable a GPO to block internet based Macros. If the Macro cannot execute, the end user cannot become infected, regardless of whether the original document was detected as malicious by AntiVirus solutions.

Symantec has observed three vectors for downloaders: Javascript embedded in zip files, Macros embedded in Microsoft Word documents, and Macros embedded in MHT files that are renamed to *.doc. SPE can block all 3 of these vectors using the Deny File Names feature.

Warning: Many legitimate user files contain embedded files with the extension we have included on the below lists. For example, many PDF files contain embedded Javascript. Using this list as-is may cause a significant number of unwanted detections. These settings are ultimately a policy decision to be taken by the management of an individual IT organization. Consider excluding any extension that you know will cause unacceptable file blocks.

From Local Administrator Console

  1. Go to Policies -> Filtering -> Files. Enable the Blocking by File Name feature by checking the box "Block files with the following names (one eper line)".

  2. Populate the Blocking by File Name box with the following entries:

*.js
*.mso
*.bas
*.cls
*.lnk
*.wsf
*.hta
*vbaProject
*vbaProject*
vbaProject*
*VBA_PROJECT*
*VBA_PROJECT
VBA_PROJECT*
VBA_PROJECT
  1. Save and apply the settings

From the Commandline

  1. Navigate to the Protection Engine installation directory, normally /opt/SYMCScan/bin on Linux and C:\Program Files\Symantec\Scan Engine in Windows. Create a text file and populate it with:
*.js
*.mso
*.bas
*.cls
*.lnk
*.wsf
*.hta
*vbaProject
*vbaProject*
vbaProject*
*VBA_PROJECT*
*VBA_PROJECT
VBA_PROJECT*
VBA_PROJECT
  1. Enable the DenyFileNames feature:
xmlmodifier -s //filtering/FileAttribute/FileNamesEnabled/@value true filtering.xml
  1. Import the list you created in step 1:
xmlmodifier -b //filtering/FileAttribute/DenyFileNames/items list.txt filtering.xml
  1. Configure the feature to either block or delete. A value of false will block and a value of true will delete:
xmlmodifier -s //filtering/FileAttribute/DeleteFileNames/@value <true|false> filtering.xml
  1. Restart Protection Engine.