Hi, On Tue, Sep 6, 2016 at 5:40 PM, Dianne Skoll <d...@roaringpenguin.com> wrote: > On Tue, 6 Sep 2016 16:12:36 -0500 (CDT) > David B Funk <dbf...@engineering.uiowa.edu> wrote: > >> What is 'acceptable' to you? Unless you find some magical prescient >> anti-virus that can accurately predict all possible macro viruses >> with out FPs I don't know what else can be done. > > Almost all of the macro viruses I've seen have made use of one of the > following special BASIC subroutine names: > > Workbook_Open > Document_Open > Auto_Open > AutoOpen > > If one of those subroutines is defined, it's far more suspicious than > just a regular macro-laden document. Blocking or quarantining those > will have a pretty low (though still, alas, non-zero) FP rate. And > I'm not implying that a macro virus *has* to use one of those > routines. It's just that most do because they allow execution of code > with no user-interaction beyond opening the document.
That's very interesting, thanks. It's also an acceptable level of FP for my environment, given how pissed off users get when a macro virus reaches 30 recipients at a time then spreads throughout Exchange. Is there a simple way to identify whether the attachment/macro contains those listed functions, without the ability to use mimedefang?
