Contentfilter has no match when outbreak filter verdict = positive

Secnet DRVBundGQ · ‎10-28-2016

This week we got a lot of spam. Every spam mail has a zip-attachment with a *.wsf File in it.

(e.g.Receipt 4382-0694.zip -> Receipt 12060-610911.wsf)

https://myonlinesecurity.co.uk/blank-email-receipt-malspam-delivers-locky-thor-version/

I wrote this filter to delete every attachment containing a js, wsf, jse File.

drop-js-jse-wsf: if attachment-filename == "\\.(js|wsf|jse)$"
{
drop-attachments-by-name("\\.(js|wsf|jse)$");
}

This filter works, but only when the mail will not be quarantined from the outbreak filter.

I always thought, the pipeline order is, first filter (cli or gui) then outbreak filter.
It seems the filter doesn't match when the mail has the outbreak filter verdict = negative.

Do i have a misconception?

File attachment to this mail= jpg with outbreakfilter verdict = negative (filter works) and jpg with outbreakfilter positive =filter untouched

Current AsyncOS Version: 10.0.0-203

Libin Varghese · ‎10-28-2016

Hi,

The message filter should strip the attachment even if it triggers the outbreak rules later on in the email pipeline.

I would suspect the email in question where outbreak filter was triggered just did not match the filter condition or there was another filter above it in order which caused this filter to be skipped.

I would recommend adding log entries to all filters in use to track how such emails flow through the pipeline and which filters are triggered along the way.

Thanks

Libin Varghese