cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
629
Views
0
Helpful
3
Replies
Highlighted
Beginner

Filter to drop file types within a compressed email attachment

Hi,

We have the below mentioned message filter to drop the filename has the following extensions. However we want to drop the attachments in case any of the following files are available in a password protected compressed attachment also. How can we achieve them? Appreciate guidance.

 

 

drop_attachments: if (recv-listener == "INC") AND (attachment-filename == "\\.(386|ad|ade|adp|ani|app|asp|aspx|bas|bat|cab|cer|chm|cla|class|cmd|cnt|com|cpl|crt|cur|csh|deb|diagcab|dll|dr|der|dmg|exe|fxp|gadget|grp|hlp|hpj|hta|ico|inf|ins|isp|its|jar|jnlp|js|jse|ksh|lib|lnk|mad|maf|mcf|mda|mdb|mde|mdt|mdw|mdz|mpkg|msc|msh|ms1|msh|mshxml|msh1xml|msh2xml|msh1|msh2|msi|msp|mst|msu|nsf|nsh|ocx|psc1|psc2|pst|psd1|psdm1|reg|rpm|scf|scr|sct|shb|shs|sys|theme|tmp|url|vb|vbe|vbs|vbp|vs|vsmacros|vss|vst|vsw|vxd|webpnp|website|wmf|ws|wsc|wsf|wsh|xbap|xnk|xll)$") { drop(); }

3 REPLIES 3
Highlighted
Beginner

Some file compression formats are able to also encrypt the file names, so I instead match against the AV scanning result.
Unscannable files which mostly occur due to encryption are marked with a AV error code in the headers
I use the following to catch all AV errors.
header("X-IronPort-AV") == "e=\".+\";"

AV header code info is here.
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117887-qanda-esa-00.html
Highlighted
Cisco Employee

As well as what Brendon shared which I find a great solution to the request here if you are using content filters.
You can also run a message filter if you plan to drop it at the message filter as well - essentially if an attachment is password protected, we won't look into the files inside it. This means you'd need to either drop -all- password protected or let them pass if password protected.

Regards,
Matthew
Highlighted

Yes. That makes sense in this case. Thank you