cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.1-033
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.0.0-418
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

3599
Views
0
Helpful
2
Replies
EUR
Beginner
Beginner

block attachment by extension

Hi,

 

We are implementing the attachment files block on Ironport, we have now created this filter that should perform a block by extensions. We tested that it works on filenames and works on nested (zipped) content.

 

Do you think that are better ways to implement it? We know that would be better to block true file type but some are tricky because the reg files are just text files and if we block the mime/type we risk preventing good documents to come in.

 

The current filter we introduced is:

 

attachment-filter: if (recv-listener == 'incoming'){

drop-attachments-by-name ('(?i)\\.(vsmacros|msh2xml|msh1xml|ps2xml|ps1xml|mshxml|gadget|mhtml|psc2|psc1|msh2|msh1|aspx|xml|wsh|wsf|wsc|vsw|vst|vss|vbs|vbe|vbp|url|tmp|shs|shb|sct|scr|scf|reg|pst|ps2|ps1|prg|prf|plg|pif|pcd|osd|ops|mst|msp|msi|msh|msc|mht|mdz|mdw|mdt|mde|mdb|mda|maw|mav|mau|mat|mas|mar|maq|mam|mag|maf|mad|lnk|ksh|jse|its|isp|ins|inf|htc|hta|hpj|hlp|fxp|exe|der|csh|crt|cpl|com|cnt|cmd|chm|cer|bat|bas|asx|asp|app|adp|ade|ws|vb|js|cab)$', 'The dropped file is \"$dropped_filename\"');

}

.

 

Do you think that is better content filters or message filters?

 

Thank you

1 ACCEPTED SOLUTION

Accepted Solutions
dmccabej
Cisco Employee

Message filters are going to be more efficient since they are earlier up in the processing pipeline, but content filters are easier to manage. I think a good mix of both is fine, but it would ultimately just depend on your preference. There's also a lot more extended logic you can use within message filters, whereas a content filter is simply /AND/ or /OR/ conditions. 

 

I would recommend blocking by type as well since an extension can just be changed. You can always set the filter to just notify instead of block at first for testing, so that way you can see what the potential impact may be. You can also set it up to quarantine and notify the sender and/or recipient, so you can still have the ability to release if legit. 

 

Thanks!

-Dennis M.

 

 

View solution in original post

2 REPLIES 2
dmccabej
Cisco Employee

Message filters are going to be more efficient since they are earlier up in the processing pipeline, but content filters are easier to manage. I think a good mix of both is fine, but it would ultimately just depend on your preference. There's also a lot more extended logic you can use within message filters, whereas a content filter is simply /AND/ or /OR/ conditions. 

 

I would recommend blocking by type as well since an extension can just be changed. You can always set the filter to just notify instead of block at first for testing, so that way you can see what the potential impact may be. You can also set it up to quarantine and notify the sender and/or recipient, so you can still have the ability to release if legit. 

 

Thanks!

-Dennis M.

 

 

View solution in original post

marc.luescherFRE
Enthusiast

Our example we start with was the follwing filter:

 

GUI_Trap_AllEXE: if (attachment-filetype == "Executable") OR (attachment-filename == "(?i)\\.(ADE|ADP|APP|ASP|BAS|BAT|CER|CHM|CMD|COM|CPL|CRT|CSH|DER|DOTM|DOT|EXE|FXP|GADGET|HLP|HTA|INF|INS|ISP|ITS|JJ|JS|JAR|JSE|KSH|LNK|MAD|MAF|MAG|MAM|MAQ|MAR|MAS|MAT|MAU|MAV|MAW|MDA|MDB|MDE|MDT|MDW|MDZ|MSC|MSH|MSH1|MSH2|MSHXML|MSH1XML|MSH2XML|MSI|MSP|MST|OPS|PCD|PIF|PLG|PRG|PST|REG|SCF|SCR|SCT|SHB|SHS|PS1|PS1XML|PS2|PS2XML|PSC1|PSC2|TMP|URL|VB|VBE|VBS|VSMACROS|VSW|WS|WSC|WSF|WSH|XML|XLSM|XLTM|XLA|XNK|7Z)") { log-entry("GUI_Trap_AllEXE"); quarantine("TrapExecutables"); }

 

Then we added additional filters for specical cases like REG files or ICAL files.

 

I hope this helps.