Hi Libin

thanks

"Ideally the anti-virus and AMP scanners should be used to detect malicious content in attachments." But there is no possibility to use the sophos antivirus in ESA to define actions on specific findings if it is not recognised as a virus - right? and if we can't use the AMP Cloud (due to regulation and policies), it is also not possible to detect these kind of files in AMP (on premise) ?

I will check the Binary Attachment part.

regards

michael

Michael,

That is correct. Sophos would be able to take action only based on the attachment scanning verdict of encrypted, unscannable or virus positive and cannot take action based on specific content.

AMP does offer an option for on-premise Threatgrid servers which does not require cloud analysis, this feature would need to be purchased separately.

Page 17-5 of the Async OS 9.7 User guide at the below link

http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa9-7/ESA_9-7_User_Guide.pdf

http://www.cisco.com/c/en/us/support/security/amp-threat-grid-appliances/tsd-products-support-series-home.html

Regards

Libin

Hi Libin

I've tried the solution with attachment-filename (?i).bin and I was not successfull but then i tried it with "attachment-binary-contains("(?i)bin")" and it matched with my test file.

When I attach an exe-File to a docx-Officefile, this embedded file is also stored as oleObject1.bin File (in ZIP viewer). does ironport detect that exe-file with a filename filter or do I have to use the same BIN-Filter?

Regards
Michael

AttachmentFilter: if attachment-binary-contains("(?i)bin") {
                      log-entry("MATCHED FILTER ATTACHMENT $MatchedContent");
                  }

I would suspect all embedded files would be detected using the bin-condition, subject to testing.

The filename condition would not be able to determine the embedded filetypes.

-- Libin