06-21-2018 01:30 AM - edited 03-08-2019 07:38 PM
Hi,
We are implementing the attachment files block on Ironport, we have now created this filter that should perform a block by extensions. We tested that it works on filenames and works on nested (zipped) content.
Do you think that are better ways to implement it? We know that would be better to block true file type but some are tricky because the reg files are just text files and if we block the mime/type we risk preventing good documents to come in.
The current filter we introduced is:
attachment-filter: if (recv-listener == 'incoming'){
drop-attachments-by-name ('(?i)\\.(vsmacros|msh2xml|msh1xml|ps2xml|ps1xml|mshxml|gadget|mhtml|psc2|psc1|msh2|msh1|aspx|xml|wsh|wsf|wsc|vsw|vst|vss|vbs|vbe|vbp|url|tmp|shs|shb|sct|scr|scf|reg|pst|ps2|ps1|prg|prf|plg|pif|pcd|osd|ops|mst|msp|msi|msh|msc|mht|mdz|mdw|mdt|mde|mdb|mda|maw|mav|mau|mat|mas|mar|maq|mam|mag|maf|mad|lnk|ksh|jse|its|isp|ins|inf|htc|hta|hpj|hlp|fxp|exe|der|csh|crt|cpl|com|cnt|cmd|chm|cer|bat|bas|asx|asp|app|adp|ade|ws|vb|js|cab)$', 'The dropped file is \"$dropped_filename\"');
}
.
Do you think that is better content filters or message filters?
Thank you
Solved! Go to Solution.
06-21-2018 02:46 PM
Message filters are going to be more efficient since they are earlier up in the processing pipeline, but content filters are easier to manage. I think a good mix of both is fine, but it would ultimately just depend on your preference. There's also a lot more extended logic you can use within message filters, whereas a content filter is simply /AND/ or /OR/ conditions.
I would recommend blocking by type as well since an extension can just be changed. You can always set the filter to just notify instead of block at first for testing, so that way you can see what the potential impact may be. You can also set it up to quarantine and notify the sender and/or recipient, so you can still have the ability to release if legit.
Thanks!
-Dennis M.
06-21-2018 02:46 PM
Message filters are going to be more efficient since they are earlier up in the processing pipeline, but content filters are easier to manage. I think a good mix of both is fine, but it would ultimately just depend on your preference. There's also a lot more extended logic you can use within message filters, whereas a content filter is simply /AND/ or /OR/ conditions.
I would recommend blocking by type as well since an extension can just be changed. You can always set the filter to just notify instead of block at first for testing, so that way you can see what the potential impact may be. You can also set it up to quarantine and notify the sender and/or recipient, so you can still have the ability to release if legit.
Thanks!
-Dennis M.
04-16-2019 03:58 AM
Our example we start with was the follwing filter:
GUI_Trap_AllEXE: if (attachment-filetype == "Executable") OR (attachment-filename == "(?i)\\.(ADE|ADP|APP|ASP|BAS|BAT|CER|CHM|CMD|COM|CPL|CRT|CSH|DER|DOTM|DOT|EXE|FXP|GADGET|HLP|HTA|INF|INS|ISP|ITS|JJ|JS|JAR|JSE|KSH|LNK|MAD|MAF|MAG|MAM|MAQ|MAR|MAS|MAT|MAU|MAV|MAW|MDA|MDB|MDE|MDT|MDW|MDZ|MSC|MSH|MSH1|MSH2|MSHXML|MSH1XML|MSH2XML|MSI|MSP|MST|OPS|PCD|PIF|PLG|PRG|PST|REG|SCF|SCR|SCT|SHB|SHS|PS1|PS1XML|PS2|PS2XML|PSC1|PSC2|TMP|URL|VB|VBE|VBS|VSMACROS|VSW|WS|WSC|WSF|WSH|XML|XLSM|XLTM|XLA|XNK|7Z)") { log-entry("GUI_Trap_AllEXE"); quarantine("TrapExecutables"); }
Then we added additional filters for specical cases like REG files or ICAL files.
I hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide