03-06-2023 12:47 PM
So, we filter a lot of attachment types out, but have noticed some coming in with extra dots on the end. .htm... as example.
So, I thought I could filter to say attachment file type does not end with ([a-z]|[0-9]) to kill off any special character endings, but this was causing the ESA to quarantine any email, even when they didn't contain an attachment.
I can do to check if it ends with (\.|!), but I'm afraid they will just try other characters.
Any idea since I can't have a check for attachment exists?
Solved! Go to Solution.
03-17-2023 12:35 AM - edited 03-17-2023 12:37 AM
Hi Dustin ,
You can use the below email filtering rules that are being applied to incoming emails.
strip_all_dangerous: if (true) {
drop-attachments-by-name('(?i)\\.(..)$');
}
1. The rule name is "strip_all_dangerous", indicating that it is intended to remove potentially harmful content from incoming emails.
2. The first line is a condition that is always true, meaning that this rule will always be executed when an email arrives.
3. The second line is a filtering action that drops any attachments whose names match a regular expression pattern that specifies file names ending with any two characters preceded by a dot. The regular expression pattern is case-insensitive, as indicated by the "(?i)" at the beginning of the pattern.
You can also refer below link to know about various options in the message filter.
-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.
You can also learn more about Cisco Secure Email through our live Ask the Experts (ATXs) session. Check out this ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-endpoint-security-ask-the-experts-resources/ta-p/4394492] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs
-----------------------------------------
Thanks ,
G.Srinivasan
03-17-2023 12:35 AM - edited 03-17-2023 12:37 AM
Hi Dustin ,
You can use the below email filtering rules that are being applied to incoming emails.
strip_all_dangerous: if (true) {
drop-attachments-by-name('(?i)\\.(..)$');
}
1. The rule name is "strip_all_dangerous", indicating that it is intended to remove potentially harmful content from incoming emails.
2. The first line is a condition that is always true, meaning that this rule will always be executed when an email arrives.
3. The second line is a filtering action that drops any attachments whose names match a regular expression pattern that specifies file names ending with any two characters preceded by a dot. The regular expression pattern is case-insensitive, as indicated by the "(?i)" at the beginning of the pattern.
You can also refer below link to know about various options in the message filter.
-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.
You can also learn more about Cisco Secure Email through our live Ask the Experts (ATXs) session. Check out this ATXs Resources [https://community.cisco.com/t5/security-knowledge-base/cisco-endpoint-security-ask-the-experts-resources/ta-p/4394492] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs
-----------------------------------------
Thanks ,
G.Srinivasan
03-17-2023 08:23 AM
Thanks, I'll take a look. I have a filter stripping any attachment ending in a period, but was looking to strip anything not ending in a character or number. This gives me something to look at since it checks that an attachment exists. Content filter was triggering on emails that had no attachments.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide