1

The newest craze, apparently, is to add garbage into Office '97 formatted *.doc and *.xls files so that when a user opens them, and ignores warnings from Defender or anything else, they get infected with something. Usually, a trojan horse or a dropper that goes and gets ransomware or something else.

The initial solution was to block *.doc, *.xls, and *.ppt according to MIME type, and bounce the inbound email.

But, my client has a few customers who are not tech savvy, don't understand that xlsx, docx, pptx, etc... are the new / safer versions of the files, and they refuse to use them. Still others have automated reporting that was created 15 years ago, and is not capable of sending these reports (commission and sales reports).

So, my client is stuck. If we blanket allow them, users will (eventually) infect themselves with something opening attachments they should not be opening (and ignoring warnings the computer throws up).

I need a way to reliably scan and block dangerous attachments using Postfix Spamassassin, and clamav.

What is a good playbook recipe, milter, or otherwise that can do this?

DrDamnit
  • 348
  • 5
  • 18
  • In transparant's mode, you could just use a firewall that got a gateway antivirus running on it, it will scan before it enter the network. An example there; http://help.sonicwall.com/help/sw/eng/6960/26/2/1/content/Security_Services_Gateway_Anti-Virus_Service.115.5.html – yagmoth555 Dec 11 '18 at 14:16
  • What have you tried so far, open source or commercial? Evaluated non-email file sharing solutions? Do you care about a compromised machine if your backups are good, and the security budget is small? – John Mahowald Dec 12 '18 at 03:14
  • Open source. The business requirements of this client are the antithesis of "secure." They want to RECEIVE attachments from outside. So, trying to get senders (their customers) to change the way they do business and use non-email file sharing is not going to work. I care about compromised machines, but they don't. Not until one gets compromise (happened earlier this year), but their customers don't care, and they are losing orders. So, it's a cost / benefit problem at this point. If I can scan known bad office attachments and remove, that's the ideal situation. – DrDamnit Dec 12 '18 at 15:53
  • Firewall with AV scanner will not work if the inbound connections are TLS. (Unless I install certs everywhere to allow the FW to do a man-in-the-middle, but that's just going from bad to worse here). – DrDamnit Dec 12 '18 at 15:54

0 Answers0