Re: CSCvd65801 - MSO FIiles detected as executable - 1

matthieu.lefevre1 · ‎05-04-2018

Dear Cisco Team,

Bug CSCvd65801 has been opened since 18/09/2017. When can we expect a fix for it? Additionally, we are running the latest AsyncOS version (11.1.0-128) and are still facing the issue. I believe the "Known Affected Releases" field needs to be adjusted.

Best regards,

jtsai8585 · ‎11-02-2018

jtsai8585 · ‎11-02-2018

Can Cisco TAC post an official complete message filter in the BUG as a fix for stripping the .MSO attachment if EXE was detected as proposed in this thread?

it-management · ‎04-23-2019

Version 12, same Problem overhere...

jtsai8585 · ‎04-23-2019

I think Cisco's post using content filter to remove .mso is best solution as of now.

it-management · ‎04-30-2019

This is not a real Solution.

It Block encryptet .zip.

Block executable (searches .zip & 7z for executables).

wenn I customize my filter:

(?i)\.(exe|scr|ace|apk|app|bat|cmd|com|command|cpl|csh|dll|exe|gadget|hta|inf1|ins|inx|ipa|isu|java|job|jse|ksh|lnk|mrc|msc|msi|msp|mst|osx|out|paf|pif|prg|ps1|py|reg|rgs|run|scr|sis|sct|shb|shs|u3p|vb|vbe|vbs|vbscript|workflow|ws|wsf|7z|rar|7zip|cpl|js|cab|jsp|class|zip)

or

attachment-filename == "\\.(exe|scr|ace|apk|app|bat|cmd|com|command|cpl|csh|dll|exe|gadget|hta|inf1|ins|inx|ipa|isu|java|job|jse|ksh|lnk|mrc|msc|msi|msp|mst|osx|out|paf|pif|prg|ps1|py|reg|rgs|run|scr|sis|sct|shb|shs|u3p|vb|vbe|vbs|vbscript|workflow|ws|wsf|7z|rar|7zip|cpl|js|cab|jsp|class|zip)$\""

It blocks zip completly... but i want to block executables and I want that .zip and 7z are scanned for executables.

How can i do this?