Solved: Re: block attachment by extension

EUR · ‎06-21-2018

Hi,

We are implementing the attachment files block on Ironport, we have now created this filter that should perform a block by extensions. We tested that it works on filenames and works on nested (zipped) content.

Do you think that are better ways to implement it? We know that would be better to block true file type but some are tricky because the reg files are just text files and if we block the mime/type we risk preventing good documents to come in.

The current filter we introduced is:

attachment-filter: if (recv-listener == 'incoming'){

drop-attachments-by-name ('(?i)\\.(vsmacros|msh2xml|msh1xml|ps2xml|ps1xml|mshxml|gadget|mhtml|psc2|psc1|msh2|msh1|aspx|xml|wsh|wsf|wsc|vsw|vst|vss|vbs|vbe|vbp|url|tmp|shs|shb|sct|scr|scf|reg|pst|ps2|ps1|prg|prf|plg|pif|pcd|osd|ops|mst|msp|msi|msh|msc|mht|mdz|mdw|mdt|mde|mdb|mda|maw|mav|mau|mat|mas|mar|maq|mam|mag|maf|mad|lnk|ksh|jse|its|isp|ins|inf|htc|hta|hpj|hlp|fxp|exe|der|csh|crt|cpl|com|cnt|cmd|chm|cer|bat|bas|asx|asp|app|adp|ade|ws|vb|js|cab)$', 'The dropped file is \"$dropped_filename\"');

}

.

Do you think that is better content filters or message filters?

Thank you

dmccabej · ‎06-21-2018

Message filters are going to be more efficient since they are earlier up in the processing pipeline, but content filters are easier to manage. I think a good mix of both is fine, but it would ultimately just depend on your preference. There's also a lot more extended logic you can use within message filters, whereas a content filter is simply /AND/ or /OR/ conditions.

I would recommend blocking by type as well since an extension can just be changed. You can always set the filter to just notify instead of block at first for testing, so that way you can see what the potential impact may be. You can also set it up to quarantine and notify the sender and/or recipient, so you can still have the ability to release if legit.

Thanks!

-Dennis M.

View solution in original post

dmccabej · ‎06-21-2018

Message filters are going to be more efficient since they are earlier up in the processing pipeline, but content filters are easier to manage. I think a good mix of both is fine, but it would ultimately just depend on your preference. There's also a lot more extended logic you can use within message filters, whereas a content filter is simply /AND/ or /OR/ conditions.

I would recommend blocking by type as well since an extension can just be changed. You can always set the filter to just notify instead of block at first for testing, so that way you can see what the potential impact may be. You can also set it up to quarantine and notify the sender and/or recipient, so you can still have the ability to release if legit.

Thanks!

-Dennis M.

marc.luescherFRE · ‎04-16-2019

Our example we start with was the follwing filter:

GUI_Trap_AllEXE: if (attachment-filetype == "Executable") OR (attachment-filename == "(?i)\\.(ADE|ADP|APP|ASP|BAS|BAT|CER|CHM|CMD|COM|CPL|CRT|CSH|DER|DOTM|DOT|EXE|FXP|GADGET|HLP|HTA|INF|INS|ISP|ITS|JJ|JS|JAR|JSE|KSH|LNK|MAD|MAF|MAG|MAM|MAQ|MAR|MAS|MAT|MAU|MAV|MAW|MDA|MDB|MDE|MDT|MDW|MDZ|MSC|MSH|MSH1|MSH2|MSHXML|MSH1XML|MSH2XML|MSI|MSP|MST|OPS|PCD|PIF|PLG|PRG|PST|REG|SCF|SCR|SCT|SHB|SHS|PS1|PS1XML|PS2|PS2XML|PSC1|PSC2|TMP|URL|VB|VBE|VBS|VSMACROS|VSW|WS|WSC|WSF|WSH|XML|XLSM|XLTM|XLA|XNK|7Z)") { log-entry("GUI_Trap_AllEXE"); quarantine("TrapExecutables"); }

Then we added additional filters for specical cases like REG files or ICAL files.

I hope this helps.