Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 3439 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Antivirus not catching infected .doc files?

BrianRobison
Hi all.  We've suddenly begun getting deluged with emails containing infected MS Word .doc files that use, if memory serves, a W97 macro attack.  I have both Avira and Sophos antivirus engines running on our inbound email, but these things are sailing right through the Sophos firewall.  Can anyone suggest a way to intercept these while allowing uninfected .doc files through?  The attacks are old; it's not like they're using an attack that the antivirus has never heard of.
Dual UTM-525 in HA active/passive cluster running 9.315-2.

I see that we're not the only ones seeing this uptick: https://threatpost.com/microsoft-reports-massive-increase-in-macros-enabled-threats/110204


TIA,
Brian


This thread was automatically locked due to age.
Parents
  • 0
    Well, let me go read that right quick.  [;)]

    EDIT:  Well reading it isn't very clear, but looking at Data Protection seems to be a valid concern because it scans the attachments.  What would it hurt by turning it on for you?

    Data Protection seems to be the trigger for AV to tell it what to do with it.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

Reply
  • 0
    Well, let me go read that right quick.  [;)]

    EDIT:  Well reading it isn't very clear, but looking at Data Protection seems to be a valid concern because it scans the attachments.  What would it hurt by turning it on for you?

    Data Protection seems to be the trigger for AV to tell it what to do with it.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

Children
  • 0 in reply to Amodin
    We had one of the recent (within the last 2 weeks) 9.x updates turn on Data Protection (where it had never been on), with an action of "blacklist", and all of a sudden, we were rejecting 100% of all inbound emails for no good reason.  When I turned it off, the problem stopped.

    Well, let me go read that right quick.  [;)]

    EDIT:  Well reading it isn't very clear, but looking at Data Protection seems to be a valid concern because it scans the attachments.  What would it hurt by turning it on for you?

    Data Protection seems to be the trigger for AV to tell it what to do with it.
Unfiltered HTML