To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

Email and Server security strips XLS files (not Autorun macro) with exclusion

Options
DaFit
DaFit W/ Alumni Posts: 12 Security Scout

Hi,

is there any news on the problem. I have the same symtoms.

BR

Comments

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 524 Moderator
    Options

    Hi DaFit

     

    Can you please check the logfile from C:\ProgramData\F-Secure Logfile.log can show a similar log entry:


    'example.xls' matches 'Disallowed Inbound Files' stripping condition; Real type: application/vnd.ms-excel; description: Microsoft Compound Document;Microsoft Excel Document; VBA;doc_long: Microsoft Excel 2003 Worksheet;doc_class: Biff8;doc_spec: Excel.Sheet.8;appname: Microsoft Excel; extensions: XLS XLA VBA

     

    This means that the file has been blocked since it is either a XLS or XLA file, or it includes VBA macros.

     

    You can try to change the settings for policy Disallowed Inbound Files by removing the VBA from the list, and see if that improve the situation.

  • DaFit
    DaFit W/ Alumni Posts: 12 Security Scout
    Options
    Dear jamesch,

    i got this Answer also from the F Secure Support team today.
     
    Yes, in the log ist the same message. 
    We block VBA but not XLS/XLA.
    In the XLS is no macro.

    I dont want VBA but i want to receive XLS.
    It works, if i send the same Document saved as XLSX or as XLSM.
  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 524 Moderator
    Options

    Hi DaFit

     

    Do you have ESS Standard or Premium installed ?

     

    We have a hotfix to exclude VBA autorun.macro which I can send you the download link for.

  • DaFit
    DaFit W/ Alumni Posts: 12 Security Scout
    Options

    Hi jamesch,

     

    i use ESS Version 12.12 Standard.

     

    But its no Autorun.macro error.

     

     Reason: Attachment 'Filename.xls' matches 'Disallowed Files' stripping condition; Real type: application/vnd.ms-excel; description: Microsoft Compound Document;Microsoft Excel Document; VBA;doc_long: Microsoft Excel 2003 Worksheet;doc_class: Biff8;doc_spec: Excel.Sheet.8;appname: Microsoft Excel; extensions: XLS XLA VBA

     

    Best regards

  • etomcat
    etomcat W/ Alumni Posts: 1,172 Firewall Master
    Options

    Dear Jamesch,

     

    > We have a hotfix to exclude VBA autorun.macro which I can send you the download link for.

     

    Could we receive the hotfix? We had a support case (xxxxxx) with a local customer which may have been related to the same problem.

     

    Thanks in advance, Yours Sincerely:
    Tamas Feher, 2F 2000 Kft., Hungary.

     

    EDIT: Removed case number

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 524 Moderator
    Options

    Hi DaFit

     

    I would suggest you to disable Email Traffic Scanning > Incoming Email  > "Intelligent file type recognition", and let me know if the .XLS file is still being blocked.

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 524 Moderator
    Options

    Please check your inbox. I have just messaged you the links for the hotfix

  • DaFit
    DaFit W/ Alumni Posts: 12 Security Scout
    Options

    Dear jamesch,
    after disabling the "Intelligent file type recognition" the xls work.

    would this hotfix also work for that?
    br

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 524 Moderator
    Options

    This particular hotfix provides exclusions for the following infections:

    Trojan-Downloader:W32/Kavala.W

    Trojan:W97M/AutorunMacro.B

     

     Your case seems to be because of this: Real type: application/vnd.ms-excel 

  • DaFit
    DaFit W/ Alumni Posts: 12 Security Scout
    Options

    Dear jamesch,

     

    is there a solution without generally allowing vba?

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 524 Moderator
    Options

    Hi DaFit

     

    I don't believe so but I will check with the relevant product team and get back to you on this.

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 524 Moderator
    Options

    Hi DaFit

     

    I have receive a response from the relevant team and they advised, currently no.


    Are you certain that there are no scripts inside the XLS file ?

  • DaFit
    DaFit W/ Alumni Posts: 12 Security Scout
    Options

    Dear jamesch,

     

    yes, there is no Script.

    If i save it as XLSM or XLSX the file will work.

     

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 524 Moderator
    Options

    We would like to check your XLS file, but our developer is away on 3 weeks vacation, so we can only reply you after he is back.

    Please private message me the file attachment

  • DaFit
    DaFit W/ Alumni Posts: 12 Security Scout
    Options
    Dear jamesch,
    i cant send Private Messages.
    "You have reached the limit for number of private messages that you can send for now. Please try again later."
  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 524 Moderator
    Options

    Hi DaFit

     

    That's fine. I just sent you a private message with a link to upload the sample.

  • DaFit
    DaFit W/ Alumni Posts: 12 Security Scout
    Options
    Hi jamesch,

    file is uploaded.
  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 524 Moderator
    Options

    Thank you for the file. I will get it checked out, and update you as soon as I have some results. But do note, there is no ETA.

  • DaFit
    DaFit W/ Alumni Posts: 12 Security Scout
    Options
    Dear jamesch,

    Thank you for information.
    I will point this out to the sender.

    Best regards
  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 524 Moderator
    Options

    Hi DaFit

     

    You are welcome.

     

    Could you ask customer if disabling "Intelligent file type recognition" is a suitable workaround or can they wait until ESS 14 ?
  • DaFit
    DaFit W/ Alumni Posts: 12 Security Scout
    Options

    Dear jamesch,

    we dont change the settings and release the message if needed.

    When will ESS 14 be available?

    best regards 

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 524 Moderator
    Options

    Hi DaFit

     

    ESS 14 Beta is planned for 14.10.2019, and RTM around second-half of November.

  • Crx
    Crx W/ Alumni Posts: 1 Security Scout
    Options

    Hello,

     

    we have this same exact problem. Did I understand correctly that this is fixed in ESS 14 RTM? We still use ESS 12.12 and I would like to fix it even before upgrading to 14. Is it possible to get the hotfix?

  • etomcat
    etomcat W/ Alumni Posts: 1,172 Firewall Master
    Options

    Dear Jamesch,

     

    > ESS 14 Beta is planned for 14.10.2019, and RTM around second-half of November.

     

    I would like to ask for a progress update regarding this product?

     

    Thanks in advance, Yours Sincerely: Tamas Feher, Hungary.

     

  • Vad
    Vad W/ Alumni Posts: 1,069 Cybercrime Crusader
    Options

    Hello Tamas,

     

    Beta2 is now published on Beta program page. And the plan is to publish RC around 22-26.11.2019.

     

    Best regards,

    Vad

     

  • noahg
    noahg W/ Alumni Posts: 1 Security Scout
    Options

    We have this issue as well with 12.12 and are running Exchange 2010 which is not supported by version 14. Should we submit a ticket to get the hotfix?

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 524 Moderator
    Options

    Hi all

     

    We have the fix ready, for ESS 12.X on Exchange Server 2013 (and later), where it strips XLS files (not Autorun macro) even with exclusion.

     

    Please let me know if you want the fix

This discussion has been closed.