Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
857
Views
0
Helpful
2
Replies

Blocking rar in ESA

REJR77
Level 1
Level 1

‎08-07-2015 07:13 AM

Hello,

 

I've created a content filter to block rar file.

I've tried to use this conditions

Attachment File Info / Filename: Ends with .rar
Attachment File Info / File Type is rar

With Action as Quarantine / and notify User

=> The attachment is still going to the user...

For info, the rar contains a txt file.....

Any idea?

Which content-filter do you use to block several extension (regexp)?

Thank you

Labels:
0 Helpful
2 Replies 2

exMSW4319
Level 3
Level 3

‎08-07-2015 08:50 AM

I'm using the following Incoming Content rule:

Executable-park: if (attachment-filetype == "Executable") OR (attachment-filename == "(?i)\\.(aca|acd|acf|acs|act|adm|ani|arj|asd|asx|bas|bat|cab|chm|cmd|com|cpl|crt|css|hlp|hta|inf|jar|jsp|mim|msc|msp|mst|ocx|php|rar|reg|shs|vb|vbe|vbs|wsc|wsf|wsh)$") { quarantine("Recycle Bin"); }

where "Recycle Bin" is an extra quarantine area. The long string of suffixes covers the types (not all of which are executable) that aren't in the built-in type Executable that we want to handle in the same way. I must admit that I haven't reviewed this since Asyncos 7 so there may be some redundant terms in there. You may also want to trim it of file types you don't mind or handle via other rules. Finally, don't forget that the latter half is only matching file names; there's no fancy magic bit detection going on to ensure that renamed files are not sneaking past.

 

0 Helpful

Mathew Huynh
Cisco Employee
Cisco Employee

‎08-07-2015 08:44 PM

Hello Romain,

 

Are you able to send us a copy of the message tracking where the email with the .rar attachment has passed the mail filtering.

Additionally if you could share a screenshot if the incoming mail policies currently employed.

 

As exMSW4319 provided, that's a message filter syntax to look at filenames with regex variables.

If you do not want to use message filters, you can edit your existing content filter, under attachment file name - Contains - you can use the same syntax -> (?i)\\.(aca|acd|acf|acs|act|adm|ani|arj|asd|asx|bas|bat|cab|chm|cmd|com|cpl|crt|css|hlp|hta|inf|jar|jsp|mim|msc|msp|mst|ocx|php|rar|reg|shs|vb|vbe|vbs|wsc|wsf|wsh)$

 

Obviously editing the filenames to match your required filenames as well.

 

Regards,

Matthew

0 Helpful
Customers Also Viewed These Support Documents