03-09-2015 03:30 AM
We have requirement where we want to block emails with attachment type :
.ade .cmd .eml .ins .mdb .mst .reg .url .wsf .adp .com .exe .isp .mde .pcd .scr .vb .wsh .bas .cpl .hlp .js .msc .pif .sct .vbe .bat .crt .hta .jse .msi .pl .scx .vbs .chm .dll .inf.lnk .msp .pot .shs .wsc… etc.
Some of these extensions are not listed in File type under content filter. Please let me know the alternate way to block the same.
Solved! Go to Solution.
03-09-2015 05:13 AM
You will be best suited to create a message filter to scan and drop. Similar to:
attach_drop: if (attachment-filename =='(?i)\\.(ade|cmd|eml|ins|mdb|mst|reg|url|wsf|adp|com|exe|isp|mde|pcd|scr|vb|wsh|bas|cpl|hlp|js|msc|pif|sct|vbe|bat|crt|hta|jse|msi|pl|scx|vbs|chm|dll|inf|lnk|msp|pot|shs|wsc)$'){
drop();
}
See the User Guide for full details on message filter, and examples. They may contain a better solution, and provide you full details on getting started, tweaking.
http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa8-5-6/ESA_8-5-6_User_Guide.pdf
-Robert
03-09-2015 05:13 AM
You will be best suited to create a message filter to scan and drop. Similar to:
attach_drop: if (attachment-filename =='(?i)\\.(ade|cmd|eml|ins|mdb|mst|reg|url|wsf|adp|com|exe|isp|mde|pcd|scr|vb|wsh|bas|cpl|hlp|js|msc|pif|sct|vbe|bat|crt|hta|jse|msi|pl|scx|vbs|chm|dll|inf|lnk|msp|pot|shs|wsc)$'){
drop();
}
See the User Guide for full details on message filter, and examples. They may contain a better solution, and provide you full details on getting started, tweaking.
http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa8-5-6/ESA_8-5-6_User_Guide.pdf
-Robert
03-11-2015 11:50 PM
With (attachment-filename) filter it checks entire file name instead of extension which created lots of false positives.
eg: I have added "hlp" in above filter but it is also blocking word file "M09 hlp.doc" as file name contains hlp key word.
any solution on this ? it should check only file type instead of file name.
03-13-2015 02:04 AM
Filename Ends With condition resolved the issue. Thanks for the Solution.
03-13-2015 04:48 AM
Hello Kishor,
I assume as you selected 'File name ends with' that means you're using a content filter.
From the syntax Robert has given it's for a message filter but if copied from:
(?i)\\.(ade|cmd|eml|ins|mdb|mst|reg|url|wsf|adp|com|exe|isp|mde|pcd|scr|vb|wsh|bas|cpl|hlp|js|msc|pif|sct|vbe|bat|crt|hta|jse|msi|pl|scx|vbs|chm|dll|inf|lnk|msp|pot|shs|wsc)$
It should work as expected.
As the "$" is the regex anchor for "ends with"
If you did not add the "$" previously and left it as contains, then yes it would look at the entire extension for a 'contains' rather than ends with.
I hope this clears up the query a bit more :)
03-24-2022 11:24 PM
Hi
Can i know how to add the syntax to esa?
attach_drop: if (attachment-filename =='(?i)\\.(ade|cmd|eml|ins|mdb|mst|reg|url|wsf|adp|com|exe|isp|mde|pcd|scr|vb|wsh|bas|cpl|hlp|js|msc|pif|sct|vbe|bat|crt|hta|jse|msi|pl|scx|vbs|chm|dll|inf|lnk|msp|pot|shs|wsc)$'){
drop();
}
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide