Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 3441 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Antivirus not catching infected .doc files?

BrianRobison
Hi all.  We've suddenly begun getting deluged with emails containing infected MS Word .doc files that use, if memory serves, a W97 macro attack.  I have both Avira and Sophos antivirus engines running on our inbound email, but these things are sailing right through the Sophos firewall.  Can anyone suggest a way to intercept these while allowing uninfected .doc files through?  The attacks are old; it's not like they're using an attack that the antivirus has never heard of.
Dual UTM-525 in HA active/passive cluster running 9.315-2.

I see that we're not the only ones seeing this uptick: https://threatpost.com/microsoft-reports-massive-increase-in-macros-enabled-threats/110204


TIA,
Brian


This thread was automatically locked due to age.
Parents
  • 0
    I believe this is the right answer at present, but I've always thought that this was counter-intuitive if not an actual bug.  It's at least a buggy idea to do it this way. [;)]

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0
    I believe this is the right answer at present, but I've always thought that this was counter-intuitive if not an actual bug.  It's at least a buggy idea to do it this way. [;)]

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson
    Is the operational thing simply to turn on Data Protection?  Right now, I'd be willing to try data protection, if I could set its action to do nothing or permit, if that's what it takes to turn on attachment scanning.

    I believe this is the right answer at present, but I've always thought that this was counter-intuitive if not an actual bug.  It's at least a buggy idea to do it this way. [;)]

    Cheers - Bob
Unfiltered HTML