Improve Protection Against Ransomware
The macro Trojan "Locky" infected 17,000 computers in Germany in 2016 within 24 hours. Locky encrypted all files on the computer and on connected or networked storage media. Only against payment of a ransom were those affected given the opportunity to decrypt their data again.
The most common way the trojan arrives is an office document (e.g. Word or Excel) with embedded macros. Sometimes it hides in a ZIP file that the user has to open. Other file formats might be affected as well.
What should companies do?
The sad truth is: there is no such thing as absolute safety. The malware is tweaked constantly - and security has to be adapted accordingly. No one can guarantee that today's solution will guarantee a safe system tomorrow. Does this mean that resistance is futile? No! Just don't allow yourself to be lulled into a false sense of security. Stay alert!
Administrators have to implement safety measures. If possible, block the execution of macros via the Group Policy Settings. Microsoft offers how-tos - for example for Office 2013.
Keep your employees informed! Many affected businesses were hit because a staff member did not know that Locky could lurk in a simple Word document.
Your Exchange Server: email security starts here
To augment your level of protection you can adjust the security settings of Exchange Server Toolbox.
Refuse virus-infected emails
Exchange Server Toolbox can automatically refuse emails if a virus is detected. The sender receives a warning via email and can take steps to remove the infection.
Proceed as follows:
- Open the Exchange Server Toolbox menu.
- Navigate to "Rules" > "Incoming".
- Edit the "Antivirus" rule:
- Select the action "Refuse mail".
- Optionally you can change the email sent to the sender, for example to "Virus found: [$Virus name$]". Double-click on "Refuse mail" under "Rule content".
- Save your changes.
Move all office attachments to quarantine
If this rule is active, all attached Microsoft Office files will be removed from the emails and stored in a secure place. If the user requires one of these files, the administrator can check the file and forward it to the user as long as it is clean.
Proceed as follows:
- Open the Exchange Server Toolbox menu.
- Navigate to "Rules" > "Incoming".
- Activate the "Security: Office attachments removal" rule.
- This rule saves all Office attachments to "C:\ProgramData\JAM Software\Exchange Server Toolbox\BackupMails\EntfernteAnhaenge\[$Date$]\[$MessageID$]".
- Date and message ID will replace the placeholders used in the path.
- A list of all removed files and the information that they were removed for security reasons will be attached to processed emails.
- Save your changes.
Alternatively you can refuse emails with attachments completely.