Discussion:
Detecting Crypto Trojans
(too old to reply)
Ralf Kirmis
2016-02-19 08:07:45 UTC
Permalink
Hello List,

does someone have an idea how to block those crypto trojans, which come in as office documents with enabled macros?
The patterns from Virus Scanners are actuelly behind the waves that come in.
Is it possible to detect macros in office documents and treat those mails as viruses or banned attachments?

We don't like the idea to block all office documents, wether macros or not.

regards,
Ralf Kirmis
Tone Kravanja
2016-02-19 12:07:46 UTC
Permalink
On our side I have reacted in banning the messages that have specifficaly named attachment (lately those were invoice_2016_52323.doc). So we are blocking those. But to answer your question. I tried F-Prot virus scanner and one of the results it gives back is number of macros discovered in the document. So you could use that to reject documents with macros.

Best regards,
Tone Kravanja

From: Ralf Kirmis [mailto:***@wizard.de]
Sent: Friday, February 19, 2016 9:08 AM
To: amavis-***@amavis.org
Subject: Detecting Crypto Trojans

Hello List,

does someone have an idea how to block those crypto trojans, which come in as office documents with enabled macros?
The patterns from Virus Scanners are actuelly behind the waves that come in.
Is it possible to detect macros in office documents and treat those mails as viruses or banned attachments?
We don't like the idea to block all office documents, wether macros or not.

regards,
Ralf Kirmis

Loading...