Multiple instances of Macro and Javascript downloaders contained in .zip and .doc files are passing through the SMSMSE filter without being detected as malicious.

These downloaders are constantly changing, meaning that by the time a virus definition is written to stop them, a new variant has been released.

For Symantec Mail Security for Microsoft Exchange (SMSMSE) version 7.5.4 and earlier please see the following article:

• https://knowledge.broadcom.com/external/article?legacyId=TECH234601

For more details on many of these attacks seen in the wild, see:

• Locky ransomware on aggressive hunt for victims
• Dridex: Financial Trojan aggressively spread in millions of spam emails each day
• Dridex: Tidal waves of spam pushing dangerous financial Trojan
• Ransomware: How to stay safe
• Ransomware: A Growing Menace

For more information on a comprehensive defense, please read the Connect article Support Perspective: W97M.Downloader Battle Plan

If Macros are not needed during normal business operations, consider blocking Macros from the internet entirely using a Group Policy Object. This article from Microsoft contains details on how to enable a GPO to block internet based Macros. If the Macro cannot execute, the end user cannot become infected, regardless of whether the original document was detected as malicious by AntiVirus solutions.

Enable Advanced heuristics detection. This technology has been effective at blocking many of these Downloaders:

Symantec has observed three vectors for downloaders coming through email: Javascript embedded in zip files, Macros embedded in Microsoft Word documents, and Macros embedded in MHT files that are renamed to *.doc. Symantec Mail Security for Microsoft Exchange can block all 3 of these vectors using a content filtering rule.

Warning:  Many legitimate PDF files contain embedded Javascript, these settings are ultimately a policy decision to be taken by the management of an individual IT organization. If Javascript is allowed inside containers, this is a potential threat vector. Symantec highly recommends blocking Javascript inside containers in email as a matter of security policy given the current threat landscape. With SMSMSE 7.5.5 and later, container specific exemptions and sender specific exemptions can be applied to the rule. See details below.

1.  Go to Policies -> Match Lists, Create a new match list, and name it “Block Downloader Trojans” with the following settings:
   
   Create a second match list and name it "File Name Rule Block Word Macros" with the following settings:
   
2. Go to Policies -> File Filtering Rules click the File Name Rule, and select "Enabled" from the drop down.
3. Next to Match list for prohibited file names, click Select... and select the "File Name Rule Block Word Macros" match list.
4. Go to Policies -> Content Filtering Rules and create a new rule with the following settings. Click "MatchList" and select the Block Downloader Trojans matchlist. Apply the rule only to "Inbound messages" to avoid triggering against internal mail.
   
   Make sure “Bypass scanning of container file(s)" is not checked, as this will defeat the purpose of the rule.
    
5. If desired, enter any container based exceptions to the rule individually or using a match list within the Unless category.  Note:  For the purposes of content filtering PDF files are not treated as container files.  To treat PDF files as containers you must utilize the File Name Rule option instead.

1. If desired, enter a user exception under the Users tab. The example setting below shows how to whitelist a user with the email address "[email protected]". Enter one user per line, or *@example.com to whitelist the entire "example.com" domain.
   
    
2. Choose an action under the "Actions" tab. It is highly recommended to set this rule to “Quarantine” (the default action for new content filtering rules) so that any legitimate documents caught by this rule can be released to the end user if necessary, but the malicious content contained in these file types is not allowed through to the end user.
3. Navigate to Policies -> File Type Filtering Rules  and select New rule... configure the rule with the following settings:
   
   With these settings configured, SMSMSE will block Macro-Enabled Office 2007 and later documents by true file type. Sender exemptions can be set using the "Users" tab, similar to the example in step 4.