Filter to drop file types within a compressed email attachment

Pravar · ‎07-29-2018

Hi,

We have the below mentioned message filter to drop the filename has the following extensions. However we want to drop the attachments in case any of the following files are available in a password protected compressed attachment also. How can we achieve them? Appreciate guidance.

drop_attachments: if (recv-listener == "INC") AND (attachment-filename == "\\.(386|ad|ade|adp|ani|app|asp|aspx|bas|bat|cab|cer|chm|cla|class|cmd|cnt|com|cpl|crt|cur|csh|deb|diagcab|dll|dr|der|dmg|exe|fxp|gadget|grp|hlp|hpj|hta|ico|inf|ins|isp|its|jar|jnlp|js|jse|ksh|lib|lnk|mad|maf|mcf|mda|mdb|mde|mdt|mdw|mdz|mpkg|msc|msh|ms1|msh|mshxml|msh1xml|msh2xml|msh1|msh2|msi|msp|mst|msu|nsf|nsh|ocx|psc1|psc2|pst|psd1|psdm1|reg|rpm|scf|scr|sct|shb|shs|sys|theme|tmp|url|vb|vbe|vbs|vbp|vs|vsmacros|vss|vst|vsw|vxd|webpnp|website|wmf|ws|wsc|wsf|wsh|xbap|xnk|xll)$") { drop(); }

Brendon.Ott · ‎07-29-2018

Some file compression formats are able to also encrypt the file names, so I instead match against the AV scanning result.
Unscannable files which mostly occur due to encryption are marked with a AV error code in the headers
I use the following to catch all AV errors.
header("X-IronPort-AV") == "e=\".+\";"

AV header code info is here.
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117887-qanda-esa-00.html

Mathew Huynh · ‎08-01-2018

As well as what Brendon shared which I find a great solution to the request here if you are using content filters.
You can also run a message filter if you plan to drop it at the message filter as well - essentially if an attachment is password protected, we won't look into the files inside it. This means you'd need to either drop -all- password protected or let them pass if password protected.

Regards,
Matthew

Pravar · ‎08-05-2018

Yes. That makes sense in this case. Thank you