cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.0-698
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.0.0-404
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

756
Views
0
Helpful
3
Replies
Pravar
Beginner

Filter to drop file types within a compressed email attachment

Hi,

We have the below mentioned message filter to drop the filename has the following extensions. However we want to drop the attachments in case any of the following files are available in a password protected compressed attachment also. How can we achieve them? Appreciate guidance.

 

 

drop_attachments: if (recv-listener == "INC") AND (attachment-filename == "\\.(386|ad|ade|adp|ani|app|asp|aspx|bas|bat|cab|cer|chm|cla|class|cmd|cnt|com|cpl|crt|cur|csh|deb|diagcab|dll|dr|der|dmg|exe|fxp|gadget|grp|hlp|hpj|hta|ico|inf|ins|isp|its|jar|jnlp|js|jse|ksh|lib|lnk|mad|maf|mcf|mda|mdb|mde|mdt|mdw|mdz|mpkg|msc|msh|ms1|msh|mshxml|msh1xml|msh2xml|msh1|msh2|msi|msp|mst|msu|nsf|nsh|ocx|psc1|psc2|pst|psd1|psdm1|reg|rpm|scf|scr|sct|shb|shs|sys|theme|tmp|url|vb|vbe|vbs|vbp|vs|vsmacros|vss|vst|vsw|vxd|webpnp|website|wmf|ws|wsc|wsf|wsh|xbap|xnk|xll)$") { drop(); }

3 REPLIES 3
Brendon.Ott
Beginner

Some file compression formats are able to also encrypt the file names, so I instead match against the AV scanning result.
Unscannable files which mostly occur due to encryption are marked with a AV error code in the headers
I use the following to catch all AV errors.
header("X-IronPort-AV") == "e=\".+\";"

AV header code info is here.
https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117887-qanda-esa-00.html
Mathew Huynh
Cisco Employee

As well as what Brendon shared which I find a great solution to the request here if you are using content filters.
You can also run a message filter if you plan to drop it at the message filter as well - essentially if an attachment is password protected, we won't look into the files inside it. This means you'd need to either drop -all- password protected or let them pass if password protected.

Regards,
Matthew

Yes. That makes sense in this case. Thank you

Content for Community-Ad