Ransomware
-
@Dashrender said:
Can an entire cryptoware solution be done purely in VBScript? If so, then disabling Macros seems like a requirement as a next step.
Good luck with that. Many people write their own macro's in excel to help with their jobs.
-
How are those Doc Files getting in anyway? does your solution not include a cloud spam/email filter to pull out things like that?
-
@Jason said:
How are those Doc Files getting in anyway? does your solution not include a cloud spam/email filter to pull out things like that?
Pull out things like what? Zeroday exploits?
-
@Dashrender said:
@Jason said:
How are those Doc Files getting in anyway? does your solution not include a cloud spam/email filter to pull out things like that?
Pull out things like what? Zeroday exploits?
Files that have macro's in them. No reason those would be emailed from the outside.
-
@Jason said:
@Dashrender said:
@Jason said:
How are those Doc Files getting in anyway? does your solution not include a cloud spam/email filter to pull out things like that?
Pull out things like what? Zeroday exploits?
Files that have macro's in them. No reason those would be emailed from the outside.
Well I'll take you back to your own post
@Jason said:
Good luck with that. Many people write their own macro's in excel to help with their jobs.
I've had vendors send me quotes using their own sheets that contain macros they use to gather data before - sure it's rare, but it happens.
-
@Dashrender said:
@Jason said:
@Dashrender said:
@Jason said:
How are those Doc Files getting in anyway? does your solution not include a cloud spam/email filter to pull out things like that?
Pull out things like what? Zeroday exploits?
Files that have macro's in them. No reason those would be emailed from the outside.
Well I'll take you back to your own post
@Jason said:
Good luck with that. Many people write their own macro's in excel to help with their jobs.
I've had vendors send me quotes using their own sheets that contain macros they use to gather data before - sure it's rare, but it happens.
That's way different. Internal use vs sending them out. Sending them out is just as bad or worse than sending an .exe or .bat etc? I'm sure you block those? We strip macros. Vendors don't like it? Find another one.
-
@Jason said:
@Dashrender said:
@Jason said:
@Dashrender said:
@Jason said:
How are those Doc Files getting in anyway? does your solution not include a cloud spam/email filter to pull out things like that?
Pull out things like what? Zeroday exploits?
Files that have macro's in them. No reason those would be emailed from the outside.
Well I'll take you back to your own post
@Jason said:
Good luck with that. Many people write their own macro's in excel to help with their jobs.
I've had vendors send me quotes using their own sheets that contain macros they use to gather data before - sure it's rare, but it happens.
That's way different. Internal use vs sending them out. Sending them out is just as bad or worse than sending an .exe or .bat etc? I'm sure you block those? We strip macros. Vendors don't like it? Find another one.
To the best of my knowledge I can't strip macros with AppRiver - but I'll check into it tomorrow to be sure. They can block by extension - which I've done in the past... but doesn't help here.
-
@Dashrender said:
@Jason said:
@Dashrender said:
@Jason said:
@Dashrender said:
@Jason said:
How are those Doc Files getting in anyway? does your solution not include a cloud spam/email filter to pull out things like that?
Pull out things like what? Zeroday exploits?
Files that have macro's in them. No reason those would be emailed from the outside.
Well I'll take you back to your own post
@Jason said:
Good luck with that. Many people write their own macro's in excel to help with their jobs.
I've had vendors send me quotes using their own sheets that contain macros they use to gather data before - sure it's rare, but it happens.
That's way different. Internal use vs sending them out. Sending them out is just as bad or worse than sending an .exe or .bat etc? I'm sure you block those? We strip macros. Vendors don't like it? Find another one.
To the best of my knowledge I can't strip macros with AppRiver - but I'll check into it tomorrow to be sure. They can block by extension - which I've done in the past... but doesn't help here.
Weird if it can't. Ours can strip them or print them to PDF and replace them
-
@Jason said:
@Dashrender said:
@Jason said:
@Dashrender said:
@Jason said:
@Dashrender said:
@Jason said:
How are those Doc Files getting in anyway? does your solution not include a cloud spam/email filter to pull out things like that?
Pull out things like what? Zeroday exploits?
Files that have macro's in them. No reason those would be emailed from the outside.
Well I'll take you back to your own post
@Jason said:
Good luck with that. Many people write their own macro's in excel to help with their jobs.
I've had vendors send me quotes using their own sheets that contain macros they use to gather data before - sure it's rare, but it happens.
That's way different. Internal use vs sending them out. Sending them out is just as bad or worse than sending an .exe or .bat etc? I'm sure you block those? We strip macros. Vendors don't like it? Find another one.
To the best of my knowledge I can't strip macros with AppRiver - but I'll check into it tomorrow to be sure. They can block by extension - which I've done in the past... but doesn't help here.
Weird if it can't. Ours can strip them or print them to PDF and replace them
A macro?
-
You can block macros in Word, but leave them in Excel. Most ransomware comes as an infected Word document rather than an Excel document doesn't it? This is what I do.
You can also allow macros to run in protected locations eg your intranet/fileserver. So if the user wants to run a macro in external file, they would simply need to save a copy on their intranet/fileserver and then open it from there (I think).
-
@Carnival-Boy said:
You can also allow macros to run in protected locations eg your intranet/fileserver. So if the user wants to run a macro in external file, they would simply need to save a copy on their intranet/fileserver and then open it from there (I think).
That's not blocking them though, a user could save the malicious file to the fileserver and then it would run the malicious code.
-
@Dashrender said:
@Jason said:
@Dashrender said:
@Jason said:
@Dashrender said:
@Jason said:
@Dashrender said:
@Jason said:
How are those Doc Files getting in anyway? does your solution not include a cloud spam/email filter to pull out things like that?
Pull out things like what? Zeroday exploits?
Files that have macro's in them. No reason those would be emailed from the outside.
Well I'll take you back to your own post
@Jason said:
Good luck with that. Many people write their own macro's in excel to help with their jobs.
I've had vendors send me quotes using their own sheets that contain macros they use to gather data before - sure it's rare, but it happens.
That's way different. Internal use vs sending them out. Sending them out is just as bad or worse than sending an .exe or .bat etc? I'm sure you block those? We strip macros. Vendors don't like it? Find another one.
To the best of my knowledge I can't strip macros with AppRiver - but I'll check into it tomorrow to be sure. They can block by extension - which I've done in the past... but doesn't help here.
Weird if it can't. Ours can strip them or print them to PDF and replace them
A macro?
It can be set to strip the macro's out or Print the whole file to a PDF. The PDF would not have macro's. Our solution even will scan for urls in documents and see what they are.
-
@Jason said:
It can be set to strip the macro's out or Print the whole file to a PDF. The PDF would not have macro's. Our solution even will scan for urls in documents and see what they are.
what are you using?
-
@Dashrender said:
@Jason said:
It can be set to strip the macro's out or Print the whole file to a PDF. The PDF would not have macro's. Our solution even will scan for urls in documents and see what they are.
what are you using?
Mimecast
