cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1325
Views
0
Helpful
4
Replies
Highlighted
Beginner

Attachments blocking

Hi, We have a list of attachments blocked with the following message filter. However, would like to add a big list of attachment into the existing one.

Is there any best practice or recommended practice to block such a big list of attachments. Any help would be appreciated.

drop_malicious_attachment: if (recv-listener == "InternetMail") AND
(attachment-filename ==
"\\.(386|exe|ad|ade|adp|asp|bas|bat|chm|cmd|com|cpl|crt|exe|hlp|hta|inf|ins|isp|js|jse|lnk|mdb|mde|msc|msi|msp|mst|pcd|pif|reg|scr|sct|shb|shs|url|vb|vbe|vbs|vss|vst|vsw|ws|wsc|wsf|wsh)$") {
drop();
}

4 REPLIES 4
Highlighted
Cisco Employee

Hi,

The only alternative would be to use a dictionary to maintain the list of the file extensions.

The condition could then be modified to:

drop_malicious_attachment: if (recv-listener == "InternetMail") AND (attachment-filename-dictionary-match("Dictionary_Name"))
{
quarantine("Policy");
}


Dictionaries can be created from Mail Policies -> Dictionaries and they accept regex as well. I would recommend using quarantine action instead of drop for tesing out the filter.

There would not be much variation on the processing load of the filter, however it would make it easire to remove and add file extensions without having to modify the message filter each time.

Thank You!
Libin Varghese

Highlighted

Thanks. However, I noticed another thread on the same that suggests to go for filters with the list of attachment type directly. 

https://supportforums.cisco.com/discussion/13041331/esa-not-stripping-attachments-based-custom-dictionary

Highlighted

Something that you would need to test to see what works best for you.

No best practices as such. 

- Libin V

Highlighted

That is right. Have already enabled with the quarantine to see the effectiveness. Thanks for your guidance.