Over the last 8-10 days we've started seeing false-positive reports from FSRM because *.docm has been added to the filter list.
This is the Word macro-enabled document type - it's a vulnerable document type (no question), but Word provides other (policy-led) measures to control/limit that vulnerability.
Inclusion has led to false positives which undermine confidence in the notifications from the list. This, in turn, could weaken engineer resolve to check each one properly.
This 'feels' like a step beyond the objective of the filter list. *.docm files can be routinely generated/used by authorised users, whereas previously filter items have been targeted at being specific indicators of ransomware/malware.
Any chance you can change *.docm to something more specific?
While I'm here, thanks for maintaining this tool. It's invaluable.
Over the last 8-10 days we've started seeing false-positive reports from FSRM because *.docm has been added to the filter list.
This is the Word macro-enabled document type - it's a vulnerable document type (no question), but Word provides other (policy-led) measures to control/limit that vulnerability.
Inclusion has led to false positives which undermine confidence in the notifications from the list. This, in turn, could weaken engineer resolve to check each one properly.
This 'feels' like a step beyond the objective of the filter list. *.docm files can be routinely generated/used by authorised users, whereas previously filter items have been targeted at being specific indicators of ransomware/malware.
Any chance you can change *.docm to something more specific?
While I'm here, thanks for maintaining this tool. It's invaluable.
Thanks Matthew