Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 2 replies
  • Answers 1 answer
  • Subscribers 13 subscribers
  • Views 1871 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intercept-X not blocking excel macro trojans

LHerzog

We're receiving mails that got blocked by our mail gateway and I used them for testing Sophos Intercept-X.

Most of the mails I test have no attachment but links to zip files containing xls or xlsm files. I can download and execute the files without problem on my machine with Intercept-X.

Virustotal shows some vendors detect the files as trojan or whatever. Sophos does not. Why does it not work? Should be one of the most simple ways of attack.

I could present more examples. Here just the latest.

Mailbody:

Hallo

In diesem Brief sende ich Ihnen alle notwendigen Unterlagen zu unserem
baldigen Treffen, genau wie wir es vor nicht allzu langer Zeit besprochen
haben. Bitte überprüfen Sie die erforderlichen Informationen hier:

stage1.artisanenterprisellc.com/dr--era-skiles/peters-25.zip

zip is containing audit-69241583.xls

https://www.virustotal.com/gui/file/2be4d59981938b00cf4f2c99559eefdaba7e5276de6ef8c1af454241dc435889/detection

right click scan:

Screenshot of xls opened in online viewer.



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Just to clarify, did you click on the Enable Content element? (if you haven't, don't)

    In general - the macro won't run unless you enable content either by user action or by GPO. Exploit Mitigation only interacts at time of the macro being fired - so if macro content is not enabled then you wouldn't get to that filter. 

    As for ML scanning, that doesn't scan office data files - only PEs (at this time)

    The zip would also not be malicious in and of itself - so the scanner wouldn't block it unless we had a specific detection for the hash of that zip - we don't tend to do that sort of scanning on the endpoint for emails (we do for Downloads) since emails should be passing through some filter at the demarc. You stated your filter caught this file - which is good. 

    So, if you manually pulled the file down onto an endpoint - you've bypassed the protection layers most likely to filter out the file by the zip hash. Extracting the zip won't trigger anything. Opening the document will only trigger if the macro is triggered on open and if that auto-run is enabled - which it isn't by default in Windows - so the macro shouldn't actually run until you click on Enable Content. Exploit Mitigation would only kick in at that point.

    I write this all out to clarify the risk points at each stage of the defense in depth security approach here. This, however, doesn't give you peace of mind since what you actually want is a sense of assurance that this type of threat would be detected and prevented. Don't just run these files on your machines! instead, we have a file submission process that allows you to submit the file into our sandbox and we will do that for you. Contact support and they can set that all up for you.

  • 0 in reply to FormerMember

    What I wanted to point to with my initial post:

    there are vendors who detect the file as malicious even before it had been uploaded it to Virustotal. Intercept-X with all it's supposted to be nextGen, Heuristics, EarlyDetection and whatever nice words someone created does not. This is something I find somewhat frustrating. It's not a 5$ give-away AV software..

    Sophos is somewhere in the centre of the Leader Quadrant of Gartner EPP.

    Maybe I take the time to really execute such a file on a test machine in the future.

Unfiltered HTML