cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
504
Views
5
Helpful
3
Replies
Beginner

Content Filter block attachment .scr/.cab etc... not working inside archive

Hi,

We have trouble that Content Filter for blocking attachments executable, scr, and cab is not working if .exe, .scr, or.cab are inside 7zip, zip or rar archive.

How deep inside attachment ESA goes, if any?

Antivirus config is set to 5 and some viruses passed like CryptoWall as .scr and .cab.

So, we are blocking that extension but this time they were inside archive.  

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Hello Juraj, I apologise for

Hello Juraj,

 

I apologise for the inconvenience.

Currently if there are viral definitions within the attachment, the AV engine would be the first line of defence, if you for some reason notice some viral attachments bypassing your ESA, please open a TAC case so we can escalate the sample to Sophos for you to capture.

 

As per content filtering.

The scan depth on how deep it will go into a system is defined in 'scanconfig' in the CLI.

 

This will show your current recursion depth.

As per .cab and .7z attachments not being properly captured if .scr or .exe are inside it

 

Currently there are some Enh request to allow the unpacking/decompression of these archive files to capture things inside it, at the moment the request is still undergoing review.

 

As a temporary measure you can proactively send .7z and .cab files to the quarantine for your administrative review -- 

 

The ESA will however be able to seek the executable should it be shrouded inside the .rar/.gzip and .zip archives however.

 

I hope this helps.

 

Regards,

Matthew

View solution in original post

3 REPLIES 3
Highlighted
Cisco Employee

Hello Juraj, I apologise for

Hello Juraj,

 

I apologise for the inconvenience.

Currently if there are viral definitions within the attachment, the AV engine would be the first line of defence, if you for some reason notice some viral attachments bypassing your ESA, please open a TAC case so we can escalate the sample to Sophos for you to capture.

 

As per content filtering.

The scan depth on how deep it will go into a system is defined in 'scanconfig' in the CLI.

 

This will show your current recursion depth.

As per .cab and .7z attachments not being properly captured if .scr or .exe are inside it

 

Currently there are some Enh request to allow the unpacking/decompression of these archive files to capture things inside it, at the moment the request is still undergoing review.

 

As a temporary measure you can proactively send .7z and .cab files to the quarantine for your administrative review -- 

 

The ESA will however be able to seek the executable should it be shrouded inside the .rar/.gzip and .zip archives however.

 

I hope this helps.

 

Regards,

Matthew

View solution in original post

Highlighted
Beginner

  Where is Cisco with this

  Where is Cisco with this enhancement request? We received an attachment with a .7z extension which endpoint security found to be infected with malware. This wasn't caught by the WSA for the reason listed in the original post above, which was over 11 months ago.

Highlighted
Cisco Employee

Hey Ashaw216,

Hey Ashaw216,

AsyncOS 9.7.0-125 provides support to capture:

.cab files

.7z files 

and  rar 5.0 files.

Regards,

Matthew