Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1746
Views
5
Helpful
3
Replies

Content Filter block attachment .scr/.cab etc... not working inside archive

Go to solution
Juraj Ban
Level 1
Level 1

‎02-23-2015 12:01 PM

Hi,

We have trouble that Content Filter for blocking attachments executable, scr, and cab is not working if .exe, .scr, or.cab are inside 7zip, zip or rar archive.

How deep inside attachment ESA goes, if any?

Antivirus config is set to 5 and some viruses passed like CryptoWall as .scr and .cab.

So, we are blocking that extension but this time they were inside archive.  

3 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee

‎02-24-2015 05:27 PM

Hello Juraj,

 

I apologise for the inconvenience.

Currently if there are viral definitions within the attachment, the AV engine would be the first line of defence, if you for some reason notice some viral attachments bypassing your ESA, please open a TAC case so we can escalate the sample to Sophos for you to capture.

 

As per content filtering.

The scan depth on how deep it will go into a system is defined in 'scanconfig' in the CLI.

 

This will show your current recursion depth.

As per .cab and .7z attachments not being properly captured if .scr or .exe are inside it

 

Currently there are some Enh request to allow the unpacking/decompression of these archive files to capture things inside it, at the moment the request is still undergoing review.

 

As a temporary measure you can proactively send .7z and .cab files to the quarantine for your administrative review -- 

 

The ESA will however be able to seek the executable should it be shrouded inside the .rar/.gzip and .zip archives however.

 

I hope this helps.

 

Regards,

Matthew

View solution in original post

3 Replies 3

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee

‎02-24-2015 05:27 PM

Hello Juraj,

 

I apologise for the inconvenience.

Currently if there are viral definitions within the attachment, the AV engine would be the first line of defence, if you for some reason notice some viral attachments bypassing your ESA, please open a TAC case so we can escalate the sample to Sophos for you to capture.

 

As per content filtering.

The scan depth on how deep it will go into a system is defined in 'scanconfig' in the CLI.

 

This will show your current recursion depth.

As per .cab and .7z attachments not being properly captured if .scr or .exe are inside it

 

Currently there are some Enh request to allow the unpacking/decompression of these archive files to capture things inside it, at the moment the request is still undergoing review.

 

As a temporary measure you can proactively send .7z and .cab files to the quarantine for your administrative review -- 

 

The ESA will however be able to seek the executable should it be shrouded inside the .rar/.gzip and .zip archives however.

 

I hope this helps.

 

Regards,

Matthew

Go to solution
ashaw216
Level 1
Level 1
In response to Mathew Huynh

‎01-25-2016 04:42 AM

  Where is Cisco with this enhancement request? We received an attachment with a .7z extension which endpoint security found to be infected with malware. This wasn't caught by the WSA for the reason listed in the original post above, which was over 11 months ago.

0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to ashaw216

‎01-25-2016 06:59 PM

Hey Ashaw216,

AsyncOS 9.7.0-125 provides support to capture:

.cab files

.7z files 

and  rar 5.0 files.

Regards,

Matthew

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents