Solved: Block Attachments by File Type

kishorsawant1988 · ‎03-09-2015

We have requirement where we want to block emails with attachment type :

.ade .cmd .eml .ins .mdb .mst .reg .url .wsf .adp .com .exe .isp .mde .pcd .scr .vb .wsh .bas .cpl .hlp .js .msc .pif .sct .vbe .bat .crt .hta .jse .msi .pl .scx .vbs .chm .dll .inf.lnk .msp .pot .shs .wsc… etc.

Some of these extensions are not listed in File type under content filter. Please let me know the alternate way to block the same.

Robert Sherwin · ‎03-09-2015

You will be best suited to create a message filter to scan and drop. Similar to:

attach_drop: if (attachment-filename =='(?i)\\.(ade|cmd|eml|ins|mdb|mst|reg|url|wsf|adp|com|exe|isp|mde|pcd|scr|vb|wsh|bas|cpl|hlp|js|msc|pif|sct|vbe|bat|crt|hta|jse|msi|pl|scx|vbs|chm|dll|inf|lnk|msp|pot|shs|wsc)$'){
drop();
}

See the User Guide for full details on message filter, and examples. They may contain a better solution, and provide you full details on getting started, tweaking.

http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa8-5-6/ESA_8-5-6_User_Guide.pdf

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118145-technote-esa-00.html

-Robert

Cheers,
Robert Sherwin

View solution in original post

Robert Sherwin · ‎03-09-2015

You will be best suited to create a message filter to scan and drop. Similar to:

attach_drop: if (attachment-filename =='(?i)\\.(ade|cmd|eml|ins|mdb|mst|reg|url|wsf|adp|com|exe|isp|mde|pcd|scr|vb|wsh|bas|cpl|hlp|js|msc|pif|sct|vbe|bat|crt|hta|jse|msi|pl|scx|vbs|chm|dll|inf|lnk|msp|pot|shs|wsc)$'){
drop();
}

See the User Guide for full details on message filter, and examples. They may contain a better solution, and provide you full details on getting started, tweaking.

http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa8-5-6/ESA_8-5-6_User_Guide.pdf

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118145-technote-esa-00.html

-Robert

Cheers,
Robert Sherwin

kishorsawant1988 · ‎03-11-2015

With (attachment-filename) filter it checks entire file name instead of extension which created lots of false positives.

eg: I have added "hlp" in above filter but it is also blocking word file "M09 hlp.doc" as file name contains hlp key word.

any solution on this ? it should check only file type instead of file name.

kishorsawant1988 · ‎03-13-2015

Filename Ends With condition resolved the issue. Thanks for the Solution.

Mathew Huynh · ‎03-13-2015

Hello Kishor,

I assume as you selected 'File name ends with' that means you're using a content filter.

From the syntax Robert has given it's for a message filter but if copied from:

(?i)\\.(ade|cmd|eml|ins|mdb|mst|reg|url|wsf|adp|com|exe|isp|mde|pcd|scr|vb|wsh|bas|cpl|hlp|js|msc|pif|sct|vbe|bat|crt|hta|jse|msi|pl|scx|vbs|chm|dll|inf|lnk|msp|pot|shs|wsc)$

It should work as expected.

As the "$" is the regex anchor for "ends with"

If you did not add the "$" previously and left it as contains, then yes it would look at the entire extension for a 'contains' rather than ends with.

I hope this clears up the query a bit more :)

MohdZulFahmiHassan06801 · ‎03-24-2022

Hi

Can i know how to add the syntax to esa?

attach_drop: if (attachment-filename =='(?i)\\.(ade|cmd|eml|ins|mdb|mst|reg|url|wsf|adp|com|exe|isp|mde|pcd|scr|vb|wsh|bas|cpl|hlp|js|msc|pif|sct|vbe|bat|crt|hta|jse|msi|pl|scx|vbs|chm|dll|inf|lnk|msp|pot|shs|wsc)$'){
drop();
}