On our side I have reacted in banning the messages that have specifficaly named attachment (lately those were invoice_2016_52323.doc). So we are blocking those. But to answer your question. I tried F-Prot virus scanner and one of the results it gives back is number of macros discovered in the document. So you could use that to reject documents with macros.
Best regards, Tone Kravanja From: Ralf Kirmis [mailto:[email protected]] Sent: Friday, February 19, 2016 9:08 AM To: [email protected] Subject: Detecting Crypto Trojans Hello List, does someone have an idea how to block those crypto trojans, which come in as office documents with enabled macros? The patterns from Virus Scanners are actuelly behind the waves that come in. Is it possible to detect macros in office documents and treat those mails as viruses or banned attachments? We don't like the idea to block all office documents, wether macros or not. regards, Ralf Kirmis
