Problem
Macro viruses are often found embedded in Microsoft Office documents. They usually originate from documents sent as email attachments or are accidentally downloaded from malicious URLs in phishing mails.
If a user receives an infected document by email, the virus can wreak havoc, attacking operating systems, changing settings, encrypting or even deleting data, leading to serious consequences for businesses.
iQ.Suite can execute various scenarios to identify and disarm macro viruses in Microsoft Office documents that are sent as email attachments. After the virus has been disarmed, the attachment can be safely delivered to the user. If the document is ultimately determined to be trustworthy, it can later be delivered in its original form.
Solution
With the iQ.Suite Watchdog module, attachments can be analysed for macros and VBA scripts in Microsoft Office documents and the original document can be placed in quarantine. However, the file attachments should be examined by at least one virus scanner in advance.
Attachments in inbound emails are analysed by selecting the appropriate file patterns under Watchdog – Utilities – Fingerprints and subsequent consolidation in a file restriction document, as well as by mapping the document to the specially created Watchdog mailjob.
Using a quarantine configuration document, the original document is copied into the quarantine which has been previously defined as well as selecting “Do not process mail” in the editing mode under the tab “Operations” of the Watchdog mailjob.
Using iQ.Suite Convert, documents containing macros are converted to a PDF file and can then be delivered to the user safely. In the required iQ.Suite Convert mailjob, the same fingerprints are selected as previously in the file restriction document.
The following option is selected to remove the original file attachment from the email. A PDF/A file can be created for conversion.
The recipient should be informed that the original file attachment has been converted to a PDF file for security reasons and instructed how to request delivery of the original file if necessary.
Alternatively, iQ.Suite Convert can remove macros in Office documents and the clean file can then be delivered to the recipient in its original format.
iQ.Suite can also execute scenarios to enable delivery of the original file attachment to the recipient or to enable the recipient to request delivery of the attachment. For example, the Microsoft Office document can be parked in quarantine and, after a specified period of time, the email is released or the user is prompted via a collective quarantine notification to request delivery.
In any case, emails should be scanned for viruses when leaving the quarantine.