cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5116
Views
5
Helpful
8
Replies

how to block zip archive attachements that contain .exe files

Robert Sahmel
Level 1
Level 1

Hi @ all,

i want to  implement a filter where that can strip zip attachments that contains .exe files.

The filter should work like this:

- Attachments is zip archive

- and contain .exe file

- then strip the zip archive from the Mail

how do i do this

System IronPort C170 / AsyncOS 9.7

1 Accepted Solution

Accepted Solutions

Hey Robert,

Jared has shared a very good message filter that you can deploy that will check for all those attachment filenames.

To deploy a message filter it is done with the command line (PuTTy).

CLI > filters > new

Paste the filter syntax and commit changes

However if you wish to use the content filter via the GUI.

GUI > Mail Policies > Incoming Content Filters

Create a new content filter

Condition -> Attachment filetype is -> Executable (From the drop down)

Condition 2 -> Attachment Filename contains -> (?i)\.(exe|scr)$

Action:

Strip attachment by file info -> By either filename contains (?i)\.(exe|scr)

Strip attachment by File info -> Filetype is executable

(You can customize this to your own preferences)

Submit this filter.

GUI > Mail Policies > Incoming Mail Policies

Deploy this content filter on to the policies

Submit and commit changes,

Regards,

Matthew

View solution in original post

8 Replies 8

Jrod
Level 1
Level 1

You can do this as a message filter or incoming content filter. This action is a content filter that will quarantine the message. This will look for any file extensions that are in a zip file, doc, and more.

Obviously you can change the action, but this is the base information.

likely_harmful_attachments_Quarantine: if (attachment-filename == "\\.(ace|apk|app|bat|cmd|com|command|cpl|csh|dll|exe|gadget|hta|inf1|ins|inx|ipa|isu|job|jse|ksh|lnk|msc|msi|msp|mst|osx|out|paf|pif|prg|ps1|reg|rgs|run|scr|sct|shb|shs|u3p|vb|vbe|vbs|vbscript|workflow|ws|wsf|rar|7z|7zip|cpl|js|cab|jsp|class)$") OR (attachment-filetype == "Executable")
{ quarantine("Bad Quarantine");
log-entry("<===>Not authorized file type! Contact Tech Support for approval! <===>");
notify ("techsupport@yourdomain", "Dangerous Attachment Quarantined", "noreply@yourdomain.com", "Dangerous Attachment"); }

Hey Robert,

Jared has shared a very good message filter that you can deploy that will check for all those attachment filenames.

To deploy a message filter it is done with the command line (PuTTy).

CLI > filters > new

Paste the filter syntax and commit changes

However if you wish to use the content filter via the GUI.

GUI > Mail Policies > Incoming Content Filters

Create a new content filter

Condition -> Attachment filetype is -> Executable (From the drop down)

Condition 2 -> Attachment Filename contains -> (?i)\.(exe|scr)$

Action:

Strip attachment by file info -> By either filename contains (?i)\.(exe|scr)

Strip attachment by File info -> Filetype is executable

(You can customize this to your own preferences)

Submit this filter.

GUI > Mail Policies > Incoming Mail Policies

Deploy this content filter on to the policies

Submit and commit changes,

Regards,

Matthew

Hi Mathew,

thanks for reply.

The soloution you providet only strips executable attachments on my box so that is fine.

But i need a filter,

"that scan zip archive inside and if there is a executable inside the zip archive,

it should strip the zip archive attachment"

Greetings Robert

Hi Mathew,

your solution works. i had to adjust Scan Behavior parameters.

thanks

Greetings Robert

Given the amount of viral material being thrown around under the guise of various archive types including ZIP, why would you want to strip the message then bombard your unfortunate recipient with whatever dross the attacker has tried to cover the payload with?

The same argument goes against notifications to recipients, and any notice or bounce to the sender simply telegraphs your mail policies to your attacker.

If you're not comfortable with message filters, much the same can be achieved (at lesser efficiency) with content rules in the GUI. We make do with a simple if(attachment-filetype == Executable) which will navigate ZIPs for content in the executable class, which you could couple to a drop-attachments-by-name(".ZIP$"). To test this, add an extra condition that the message must come from your external test address then try it in combination with other actions you want to take when the condition is true.

Yes, this will strip ZIP files when the executable is in another attachment, but once I arrive at the point where my code has to intervene in the delivery of a message I assume a certain latitude.

Don't forget to cover your anti-virus policy for encrypted content such as ZIP files. An attacker will often put the password in the same message, hoping to trick the recipient into opening what your appliance could not.

Hi Jared,

thank you for the fast reply.  i  already got a filter that strips executable attachments in email on my box.

But i need a filter,

"that scan zip archive inside and if there is a executable inside the zip archive,

it should strip the zip archive attachment"

how do i do this?

Regards,

Hi Jared,

i had to adjust Scan Behavior parameters. Now it works.

Glad its working. 

I will also note that, with this filter, not only does it pick up on file extension names, but the attachment-filetype == "Executable" works well against someone renaming an exe to txt, or even a DOC with an executable inside it. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: