01-14-2016 08:19 AM
Hi @ all,
i want to implement a filter where that can strip zip attachments that contains .exe files.
The filter should work like this:
- Attachments is zip archive
- and contain .exe file
- then strip the zip archive from the Mail
how do i do this
System IronPort C170 / AsyncOS 9.7
Solved! Go to Solution.
01-14-2016 05:36 PM
Hey Robert,
Jared has shared a very good message filter that you can deploy that will check for all those attachment filenames.
To deploy a message filter it is done with the command line (PuTTy).
CLI > filters > new
Paste the filter syntax and commit changes
However if you wish to use the content filter via the GUI.
GUI > Mail Policies > Incoming Content Filters
Create a new content filter
Condition -> Attachment filetype is -> Executable (From the drop down)
Condition 2 -> Attachment Filename contains -> (?i)\.(exe|scr)$
Action:
Strip attachment by file info -> By either filename contains (?i)\.(exe|scr)
Strip attachment by File info -> Filetype is executable
(You can customize this to your own preferences)
Submit this filter.
GUI > Mail Policies > Incoming Mail Policies
Deploy this content filter on to the policies
Submit and commit changes,
Regards,
Matthew
01-14-2016 10:03 AM
You can do this as a message filter or incoming content filter. This action is a content filter that will quarantine the message. This will look for any file extensions that are in a zip file, doc, and more.
Obviously you can change the action, but this is the base information.
likely_harmful_attachments_Quarantine: if (attachment-filename == "\\.(ace|apk|app|bat|cmd|com|command|cpl|csh|dll|exe|gadget|hta|inf1|ins|inx|ipa|isu|job|jse|ksh|lnk|msc|msi|msp|mst|osx|out|paf|pif|prg|ps1|reg|rgs|run|scr|sct|shb|shs|u3p|vb|vbe|vbs|vbscript|workflow|ws|wsf|rar|7z|7zip|cpl|js|cab|jsp|class)$") OR (attachment-filetype == "Executable")
{ quarantine("Bad Quarantine");
log-entry("<===>Not authorized file type! Contact Tech Support for approval! <===>");
notify ("techsupport@yourdomain", "Dangerous Attachment Quarantined", "noreply@yourdomain.com", "Dangerous Attachment"); }
01-14-2016 05:36 PM
Hey Robert,
Jared has shared a very good message filter that you can deploy that will check for all those attachment filenames.
To deploy a message filter it is done with the command line (PuTTy).
CLI > filters > new
Paste the filter syntax and commit changes
However if you wish to use the content filter via the GUI.
GUI > Mail Policies > Incoming Content Filters
Create a new content filter
Condition -> Attachment filetype is -> Executable (From the drop down)
Condition 2 -> Attachment Filename contains -> (?i)\.(exe|scr)$
Action:
Strip attachment by file info -> By either filename contains (?i)\.(exe|scr)
Strip attachment by File info -> Filetype is executable
(You can customize this to your own preferences)
Submit this filter.
GUI > Mail Policies > Incoming Mail Policies
Deploy this content filter on to the policies
Submit and commit changes,
Regards,
Matthew
01-15-2016 12:05 AM
Hi Mathew,
thanks for reply.
The soloution you providet only strips executable attachments on my box so that is fine.
But i need a filter,
"that scan zip archive inside and if there is a executable inside the zip archive,
it should strip the zip archive attachment"
Greetings Robert
01-15-2016 12:37 AM
Hi Mathew,
your solution works. i had to adjust Scan Behavior parameters.
thanks
Greetings Robert
01-15-2016 01:11 AM
Given the amount of viral material being thrown around under the guise of various archive types including ZIP, why would you want to strip the message then bombard your unfortunate recipient with whatever dross the attacker has tried to cover the payload with?
The same argument goes against notifications to recipients, and any notice or bounce to the sender simply telegraphs your mail policies to your attacker.
If you're not comfortable with message filters, much the same can be achieved (at lesser efficiency) with content rules in the GUI. We make do with a simple if(attachment-filetype == Executable) which will navigate ZIPs for content in the executable class, which you could couple to a drop-attachments-by-name(".ZIP$"). To test this, add an extra condition that the message must come from your external test address then try it in combination with other actions you want to take when the condition is true.
Yes, this will strip ZIP files when the executable is in another attachment, but once I arrive at the point where my code has to intervene in the delivery of a message I assume a certain latitude.
Don't forget to cover your anti-virus policy for encrypted content such as ZIP files. An attacker will often put the password in the same message, hoping to trick the recipient into opening what your appliance could not.
01-15-2016 12:14 AM
Hi Jared,
thank you for the fast reply. i already got a filter that strips executable attachments in email on my box.
But i need a filter,
"that scan zip archive inside and if there is a executable inside the zip archive,
it should strip the zip archive attachment"
how do i do this?
Regards,
01-15-2016 12:38 AM
Hi Jared,
i had to adjust Scan Behavior parameters. Now it works.
01-15-2016 04:56 AM
Glad its working.
I will also note that, with this filter, not only does it pick up on file extension names, but the attachment-filetype == "Executable" works well against someone renaming an exe to txt, or even a DOC with an executable inside it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide