I always use a program called SandBoxie that allows you to either run sandboxed web sessions or in fact run any program in a sandbox. You can then examine the changes that it WOULD have made to a live system. The software is has Free evaluation use at SandBoxie.com (the demo version simply makes you wait 10 seconds on loading after asking you to buy the program but it is fully featured).
Because it integrates into windows explorer you can right click a program and run it sandboxed in either standard user mode or Administrator mode without having to worry about any PC corruption. I have used this now for about 4-5 years and it is in my toolbox now for every installation. Dave -----Original Message----- From: ProFox [mailto:[email protected]] On Behalf Of Peter Cushing Sent: 11 February 2016 13:22 To: [email protected] Subject: Re: [NF] Phishing and security in general. On 10/02/2016 17:42, Ted Roche wrote: > <snip> > > Do you understand the mechanism within the DOCX files that's > deliverying the payload? No, but don't think it would help me anyway. We just need a reliable way of determining if the word (or excel) file is infected. When they don't show up on xx virus scanners on virus total what can you do? > > I wonder if opening the DOCX files in a different reader, like > OpenOffice might disarm the payload. Be careful: you're playing with > fire, here. Supposedly, you can completely disable macros with: > > https://support.office.com/en-us/article/Enable-or-disable-macros-in-O > ffice-documents-7b4fdd2e-174f-47e2-9611-9efe4f860b12 Our users sometimes get spreadsheets with macros from customers so occasionally need to use this feature. The article also shows that you can disable the feature but for trusted documents put them in a trusted location to run the macro. will have to check if this is viable. We have just wiped the machine that did the damage but still could not detect anything on it. You just could not trust the machine as it was. Turns out we were hit by crypto wall 4, but still don't know how it got onto the machine. It might have been an email attachment but we can't find anything suspicious in his email archive. Peter Brave Soul at Pure London 14th-16th Feb Stand F44 Mens and Womens SS16 Stock and AW16 Preview This communication is intended for the person or organisation to whom it is addressed. The contents are confidential and may be protected in law. Unauthorised use, copying or disclosure of any of it may be unlawful. If you have received this message in error, please notify us immediately by telephone or email. www.whisperingsmith.com Whispering Smith Ltd Head Office:61 Great Ducie Street, Manchester M3 1RR. Tel:0161 831 3700 Fax:0161 831 3715 London Office:17-19 Foley Street, London W1W 6DW Tel:0207 299 7960 [excessive quoting removed by server] _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
