Email and Server security strips XLS files (not Autorun macro) with exclusion

DaFit

Hi,

is there any news on the problem. I have the same symtoms.

BR

JamesC

Hi DaFit

 

Can you please check the logfile from C:\ProgramData\F-Secure ? Logfile.log can show a similar log entry:

'example.xls' matches 'Disallowed Inbound Files' stripping condition; Real type: application/vnd.ms-excel; description: Microsoft Compound Document;Microsoft Excel Document; VBA;doc_long: Microsoft Excel 2003 Worksheet;doc_class: Biff8;doc_spec: Excel.Sheet.8;appname: Microsoft Excel; extensions: XLS XLA VBA

 

This means that the file has been blocked since it is either a XLS or XLA file, or it includes VBA macros.

 

You can try to change the settings for policy Disallowed Inbound Files by removing the VBA from the list, and see if that improve the situation.

DaFit

Dear jamesch,

i got this Answer also from the F Secure Support team today.

 

Yes, in the log ist the same message. 

We block VBA but not XLS/XLA.

In the XLS is no macro.

I dont want VBA but i want to receive XLS.
It works, if i send the same Document saved as XLSX or as XLSM.

JamesC

Hi DaFit

 

Do you have ESS Standard or Premium installed ?

 

We have a hotfix to exclude VBA autorun.macro which I can send you the download link for.

DaFit

Hi jamesch,

 

i use ESS Version 12.12 Standard.

 

But its no Autorun.macro error.

 

 Reason: Attachment 'Filename.xls' matches 'Disallowed Files' stripping condition; Real type: application/vnd.ms-excel; description: Microsoft Compound Document;Microsoft Excel Document; VBA;doc_long: Microsoft Excel 2003 Worksheet;doc_class: Biff8;doc_spec: Excel.Sheet.8;appname: Microsoft Excel; extensions: XLS XLA VBA

 

Best regards

etomcat

Dear Jamesch,

 

> We have a hotfix to exclude VBA autorun.macro which I can send you the download link for.

 

Could we receive the hotfix? We had a support case (xxxxxx) with a local customer which may have been related to the same problem.

 

Thanks in advance, Yours Sincerely:
Tamas Feher, 2F 2000 Kft., Hungary.

 

EDIT: Removed case number

JamesC

Hi DaFit

 

I would suggest you to disable Email Traffic Scanning > Incoming Email  > "Intelligent file type recognition", and let me know if the .XLS file is still being blocked.

JamesC

Please check your inbox. I have just messaged you the links for the hotfix

DaFit

Dear jamesch,
after disabling the "Intelligent file type recognition" the xls work.

would this hotfix also work for that?
br

JamesC

This particular hotfix provides exclusions for the following infections:

Trojan-Downloader:W32/Kavala.W

Trojan:W97M/AutorunMacro.B

 

 Your case seems to be because of this: Real type: application/vnd.ms-excel 

DaFit

Dear jamesch,

 

is there a solution without generally allowing vba?

JamesC

Hi DaFit

 

I don't believe so but I will check with the relevant product team and get back to you on this.

JamesC

Hi DaFit

 

I have receive a response from the relevant team and they advised, currently no.

Are you certain that there are no scripts inside the XLS file ?

DaFit

Dear jamesch,

 

yes, there is no Script.

If i save it as XLSM or XLSX the file will work.

 

JamesC

We would like to check your XLS file, but our developer is away on 3 weeks vacation, so we can only reply you after he is back.

Please private message me the file attachment

DaFit

Dear jamesch,
i cant send Private Messages.
"You have reached the limit for number of private messages that you can send for now. Please try again later."

JamesC

Hi DaFit

 

That's fine. I just sent you a private message with a link to upload the sample.

DaFit

Hi jamesch,

file is uploaded.

JamesC

Thank you for the file. I will get it checked out, and update you as soon as I have some results. But do note, there is no ETA.

JamesC

Hi DaFit

 

Thank you for your patience. We have an update on your issue and will let you know once we have developed a fix.

 

We have checked your XLS file and ran a few tests. It seems sometimes Excel saves common XSLX files as XLS with _VBA_PROJECT_CUR inside.

 

So, our products strips your XLS because there is that _VBA_PROJECT_CUR folder, even if there are no actual macros is inside.

DaFit

Dear jamesch,

Thank you for information.
I will point this out to the sender.

Best regards

JamesC

Hi DaFit

 

You are welcome.

 

Could you ask customer if disabling "Intelligent file type recognition" is a suitable workaround or can they wait until ESS 14 ?

DaFit

Dear jamesch,

we dont change the settings and release the message if needed.

When will ESS 14 be available?

best regards 

JamesC

Hi DaFit

 

ESS 14 Beta is planned for 14.10.2019, and RTM around second-half of November.

Crx

Hello,

 

we have this same exact problem. Did I understand correctly that this is fixed in ESS 14 RTM? We still use ESS 12.12 and I would like to fix it even before upgrading to 14. Is it possible to get the hotfix?

etomcat

Dear Jamesch,

 

> ESS 14 Beta is planned for 14.10.2019, and RTM around second-half of November.

 

I would like to ask for a progress update regarding this product?

 

Thanks in advance, Yours Sincerely: Tamas Feher, Hungary.

 

Vad

Hello Tamas,

 

Beta2 is now published on Beta program page. And the plan is to publish RC around 22-26.11.2019.

 

Best regards,

Vad

 

noahg

We have this issue as well with 12.12 and are running Exchange 2010 which is not supported by version 14. Should we submit a ticket to get the hotfix?

JamesC

Hi all

 

We have the fix ready, for ESS 12.X on Exchange Server 2013 (and later), where it strips XLS files (not Autorun macro) even with exclusion.

 

Please let me know if you want the fix