If Macros are not needed during normal business operations, consider blocking Macros from the internet entirely using a Group Policy Object. This article from Microsoft contains details on how to enable a GPO to block internet based Macros. If the Macro cannot execute, the end user cannot become infected, regardless of whether the original document was detected as malicious by AntiVirus solutions.
Enable Advanced heuristics detection. This technology has been effective at blocking many of these Downloaders:
Go to Policies -> Match Lists, Create a new match list, and name it “Block Downloader Trojans” with the following settings:
Create a second match list and name it "File Name Rule Block Word Macros" with the following settings:
Go to Policies -> File Filtering Rules click the File Name Rule, and select "Enabled" from the drop down.
Next to Match list for prohibited file names, click Select... and select the "File Name Rule Block Word Macros" match list.
Go to Policies -> Content Filtering Rules and create a new rule with the following settings. Click "MatchList" and select the Block Downloader Trojans matchlist. Apply the rule only to "Inbound messages" to avoid triggering against internal mail.
Make sure “Bypass scanning of container file(s)" is not checked, as this will defeat the purpose of the rule.
If desired, enter any container based exceptions to the rule individually or using a match list within the Unless category. Note: For the purposes of content filtering PDF files are not treated as container files. To treat PDF files as containers you must utilize the File Name Rule option instead.
If desired, enter a user exception under the Users tab. The example setting below shows how to whitelist a user with the email address "email@example.com". Enter one user per line, or *@example.com to whitelist the entire "example.com" domain.
Choose an action under the "Actions" tab. It is highly recommended to set this rule to “Quarantine” (the default action for new content filtering rules) so that any legitimate documents caught by this rule can be released to the end user if necessary, but the malicious content contained in these file types is not allowed through to the end user.
Navigate to Policies -> File Type Filtering Rules and select New rule... configure the rule with the following settings:
With these settings configured, SMSMSE will block Macro-Enabled Office 2007 and later documents by true file type. Sender exemptions can be set using the "Users" tab, similar to the example in step 4.
Subscribing will provide email updates when this Article is updated. Login is required.