Hi,

Pravar · ‎05-23-2017

Hi, We have a list of attachments blocked with the following message filter. However, would like to add a big list of attachment into the existing one.

Is there any best practice or recommended practice to block such a big list of attachments. Any help would be appreciated.

drop_malicious_attachment: if (recv-listener == "InternetMail") AND
(attachment-filename ==
"\\.(386|exe|ad|ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mdb|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shb|shs|url|vb|vbe|vbs|vss|vst|vsw|ws|wsc|wsf|wsh)$") {
drop();
}

Libin Varghese · ‎05-23-2017

Hi,

The only alternative would be to use a dictionary to maintain the list of the file extensions.

The condition could then be modified to:

drop_malicious_attachment: if (recv-listener == "InternetMail") AND (attachment-filename-dictionary-match("Dictionary_Name"))
{
quarantine("Policy");
}

Dictionaries can be created from Mail Policies -> Dictionaries and they accept regex as well. I would recommend using quarantine action instead of drop for tesing out the filter.

There would not be much variation on the processing load of the filter, however it would make it easire to remove and add file extensions without having to modify the message filter each time.

Thank You!
Libin Varghese

Pravar · ‎05-25-2017

Thanks. However, I noticed another thread on the same that suggests to go for filters with the list of attachment type directly.

https://supportforums.cisco.com/discussion/13041331/esa-not-stripping-attachments-based-custom-dictionary

Libin Varghese · ‎05-25-2017

Something that you would need to test to see what works best for you.

No best practices as such.

- Libin V

Pravar · ‎05-25-2017

That is right. Have already enabled with the quarantine to see the effectiveness. Thanks for your guidance.

Attachments blocking