cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
876
Views
1
Helpful
2
Replies

Filter bad attachment types.

So, we filter a lot of attachment types out, but have noticed some coming in with extra dots on the end. .htm... as example.

So, I thought I could filter to say attachment file type does not end with ([a-z]|[0-9]) to kill off any special character endings, but this was causing the ESA to quarantine any email, even when they didn't contain an attachment. 

I can do to check if it ends with (\.|!), but I'm afraid they will just try other characters.

Any idea since I can't have a check for attachment exists?

1 Accepted Solution

Accepted Solutions

srigovi2
Cisco Employee
Cisco Employee

Hi Dustin ,

 

 

You can use the below email filtering rules that are being applied to incoming emails.

 

strip_all_dangerous: if (true) {


drop-attachments-by-name('(?i)\\.(..)$');

}

 

1. The rule name is "strip_all_dangerous", indicating that it is intended to remove potentially harmful content from incoming emails.
2. The first line is a condition that is always true, meaning that this rule will always be executed when an email arrives.
3. The second line is a filtering action that drops any attachments whose names match a regular expression pattern that specifies file names ending with any two characters preceded by a dot. The regular expression pattern is case-insensitive, as indicated by the "(?i)" at the beginning of the pattern.

You can also refer below link to know about various options in the message filter.

 

https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_01000.html#con_1137059


-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Cisco Secure Email through our live Ask the Experts (ATXs) session. Check out this ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-endpoint-security-ask-the-experts-resources/ta-p/4394492] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs
-----------------------------------------
 

Thanks ,

G.Srinivasan

View solution in original post

2 Replies 2

srigovi2
Cisco Employee
Cisco Employee

Hi Dustin ,

 

 

You can use the below email filtering rules that are being applied to incoming emails.

 

strip_all_dangerous: if (true) {


drop-attachments-by-name('(?i)\\.(..)$');

}

 

1. The rule name is "strip_all_dangerous", indicating that it is intended to remove potentially harmful content from incoming emails.
2. The first line is a condition that is always true, meaning that this rule will always be executed when an email arrives.
3. The second line is a filtering action that drops any attachments whose names match a regular expression pattern that specifies file names ending with any two characters preceded by a dot. The regular expression pattern is case-insensitive, as indicated by the "(?i)" at the beginning of the pattern.

You can also refer below link to know about various options in the message filter.

 

https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_01000.html#con_1137059


-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Cisco Secure Email through our live Ask the Experts (ATXs) session. Check out this ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-endpoint-security-ask-the-experts-resources/ta-p/4394492] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs
-----------------------------------------
 

Thanks ,

G.Srinivasan

Thanks, I'll take a look. I have a filter stripping any attachment ending in a period, but was looking to strip anything not ending in a character or number. This gives me something to look at since it checks that an attachment exists. Content filter was triggering on emails that had no attachments.