Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1316
Views
0
Helpful
1
Replies

ESA scanning for executables inside of different archive types

dpinchukov
Level 1
Level 1

‎01-30-2015 07:31 AM

I am trying to quarantine mails with an executable attachments inside of archives. If I create a new content filter to match on executables (attachment-filetype == "Executable") this detects directly attached executable files + executable files in .zip-archives. But it does not detect exe files in .7z or .cab archives. How to enable this check for some other archive types?

--------------

Executable: if (attachment-filetype == "Executable") { quarantine("Policy"); }     

 

Fri Jan 30 16:40:38 2015 Info: MID 29027572 attachment 'test.zip'
Fri Jan 30 16:40:38 2015 Info: MID 29027572 quarantined to "Policy" (content filter:Executable)
 

Fri Jan 30 16:41:25 2015 Info: MID 29027603 attachment 'test.7z'
Fri Jan 30 16:41:25 2015 Info: MID 29027603 queued for delivery

 

Fri Jan 30 16:41:40 2015 Info: MID 29027624 attachment 'test.cab'
Fri Jan 30 16:41:40 2015 Info: MID 29027624 queued for delivery

 

Labels:
0 Helpful
1 Reply 1

Mathew Huynh
Cisco Employee
Cisco Employee

‎02-02-2015 04:54 AM

From my memory and some tests I've been running on my lab box which is on version 8.5.6;  I believe the system while it can now detect .7z and .cab files, it will not decompress these files to search inside, like it could on .zip and .rar etc when an .exe is imbedded within it.

 

However I do believe this is still being investigated for further details at this stage.

 

And from your test, it also reflects what i've seen on my test device.

0 Helpful
Customers Also Viewed These Support Documents