This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

CSV files with malicious code


https://www.bleepingcomputer.com/news/security/malicious-csv-text-files-used-to-install-bazarbackdoor-malware/

CSV files are currently not on the default Sophos  Attachment file type list. They can just like any other Office file contain macro’s or functions. Quarantining everything is unworkable. 

Does Sophos Email Security also scans office files for malicious functions, Marcos’s or code?

Sophos advertise with that attachments are loaded in a sandbox to determine their nature. As users we do however  not see that sandbox evaluation or result. We only see it when found to be malicious and I have had instances in the past with office files that were malicious and were detected as such by Intercept X and Puremessage but not by Email Security! Never seen a explanation for it from Support other than that these particular files were now also added to the database. 

regards,

Fred



This thread was automatically locked due to age.
  • Hello Fred,

    Thank you for contacting the Sophos Community.

    These are the list of extensions available for macros. The following extensions are visible if you select custom list selection.

    *TFT ID*

    *Group*

    *Extensions*

    TFT/WordDoc-G

    Document

    .xml

    TFT/WordDoc-E

    Document

    .docm, .dotm

    TFT/PowerPt-G

    Presentation

    .ppsm, .pptm, .potm

    TFT/Excel-I

    Document

    .xlsm, .xltm

    TFT/WordDoc-I

    Document

    .docm, .dotm

    TFT/WordDoc-K

    Document

    .mhtml

    TFT/Excel-G

    Document

    .xlsm, .xltm

    TFT/PowerPt-E

    Presentation

    .ppsm, .pptm, .potm

    TFT/Excel-H

    Spreadsheet

    .xlsm, .xltm

    Regards,


     
    Emmanuel (EmmoSophos)
    Community Support Engineer | Sophos Technical Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.