3

Problem:

The hiring department occasionally sends me Word documents asking to clear the file as "safe" to open and review for purposes like resumes etc.; they can come from anywhere and are often unsolicited job applications.

Based on the cornucopia of Word exploits out there and my relative inexperience I get a slight "nnngg" feeling every time I save one to my on-network machine to "check". I feel like I will be held responsible if I say something is safe, but realize pros commonly use free and paid malware scanners to make sure their exploits will pass scans. Before I took the role of "toothless cybersecurity champion" they essentially opened everything and hoped the MSP caught/stopped the bad stuff.

My "checking":

  1. Save file as to desktop from Outlook.
  2. Upload file usually to Virustotal and Jotti's Malware Scan
  3. Scan with the local endpoint scanner.
  4. If all scans negative: tell them to view the document but never click "Enable Editing, Enable Macros etc." (So far I can only assume they follow this advice but have no method of confirming).
    Yes I realize this scanning could probably just be done by the receivers at this point, but this would only apply to documents of a non-sensitive nature, since I'm already disclosing them to VT and Jotti's

My improvement ideas:

  • Don't accept unsolicited Word docs (hard to enforce with high business impact, was actually laughed at for this).
  • Make a VM/off-network machine and send/open everything there first and monitor/binwalk (high time commitment with questionable success).

Question:

Are there any other obvious (to someone with more experience) ways I could improve my sheep dipping process?

PlasticCasio
  • 93
  • 7
  • 1
    You could side-step the problem by saying you only accept applications via PDF, then use an up-to-date PDF reader. –  Mar 03 '21 at 17:34
  • OP already tried that, people laughed it out of the room... – ThoriumBR Mar 04 '21 at 00:15
  • 1
    "Upload file usually to Virustotal and Jotti's Malware Scan". Be careful about the privacy implications of doing that as content uploaded to VT servers becomes downloadable by others. – Mark Riddell Mar 09 '21 at 16:59

1 Answers1

1

You could convert it using Linux, or FreeBSD, and OpenOffice.

Install a VM with Linux or FreeBSD, or any OS that isn't Windows and have a OpenOffice release. Share a folder between the VM and the host, and save the file there.

On the VM, open the file on OpenOffice, and save it on a different format. RTF is a good option because it is open, can be opened on a lot of editors, and both MS Word and OpenOffice can work on it, and will strip all macros and active content from the original document.

If the file don't need to be sent back on an editable format, you can use the Print to PDF function to generate a pdf file and send back to the user.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142