Re: Cisco esa attachment name

ccna_security · ‎10-23-2019

Hi. let me ask you an interesting question. why esa is able to strip attachment named as test.txt that constitute suspected url but fails to strip the same attachment named as тест.txt. i guess the problem stems from language decoding. any idea how can i solve it?

Mathew Huynh · ‎10-24-2019

Hey Ccns90,

This is an interesting one.
We're not getting errors but it seems to be the character encoding throwing it off.

I'm looking into it on my side.

Regards,
Mathew

Mathew Huynh · ‎10-24-2019

Just a heads up - this behaviour is definitely not intended.

A way to solve this will likely need a bug fix, however a workaround (that i can come up with) will be more of a broad match + drop aspect.

Either change the filter for conditions to check malicious URLs and quarantine the email.
I tried to find a way to match filetypes + URL but we won't be able to treat every attachment as a separate entity.

Regards,
Mathew

ccna_security · ‎10-25-2019

Is there any way to inform cisco about this bug in order to fix?

Mathew Huynh · ‎10-28-2019

Hey Ccns90,

I would suggest to open a TAC case to allow the team to investigate further.

Regards,
Mathew

ccna_security · ‎10-29-2019

we opend a case. we are working on it. thank you so much

Mathew Huynh · ‎10-31-2019

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvr83113

This is the bug opened on this issue.

Regards,
Mathew