Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2618
Views
0
Helpful
4
Replies

How to block zip files containing executable files ?

Jay Joshi
Level 1
Level 1

‎06-04-2016 09:28 PM

Hello, 

I am trying to implement a policy on ESA which is suppose to work as follows : If the attachment is .zip and has any form of executable file, I need to drop it ! 

Here is what I am trying but aint working : 

Order 1 :
attachment-filename == "\\.(ace|apk|app|bat|cmd|com|command|cpl|csh|dll|exe|gadget|hta|inf1|ins|inx|ipa|isu|job|jse|ksh|lnk|msc|msi|msp|mst|osx|out|paf|pif|prg|ps1|reg|rgs|run|scr|sct|shb|shs|u3p|vb|vbe|vbs|vbscript|workflow|ws|wsf|cpl|js|cab|jsp|class|zip)$\""


Order 2 : 

attachment-filetype == "Executable"


Action 
Drop 


But somehow this doesnt work and I still get emails 



Please help


Thank You

Labels:
0 Helpful
4 Replies 4

Raed Boshmaf
Cisco Employee
Cisco Employee

‎06-06-2016 02:31 AM

Hi, Just implement the following incoming content filter and assign it to the incoming mail policy in question:

Condition > attachment-filetype == "Executable" 

Action > Quarantine("Policy") [You can change this into drop after testing the filter and seeing how it performs]

The reason for this is the fact that the filter will do body-scanned for .zip files and .rar files, which means that the filter will check .zip files and .rar files for excusable "condition" and take actions based on the filter "Quarantine in this case".

Ref: AsyncOS version 9.7.1 user guide page 212

Note about your filter, from the drop down list next to conditions are you using If one or more conditions match "aka OR" or Only if all conditions match "aka AND".

Regards

Raed

0 Helpful

exMSW4319
Level 3
Level 3
In response to Raed Boshmaf

‎06-06-2016 03:48 AM

My apologies, Raed. I've got into the bad habit of loading up a series of threads from the forum and then replying, sometimes a considerable while later. As a result some of my postings are out of sequence or redundant. I'll go back to composing off-line.

0 Helpful

Raed Boshmaf
Cisco Employee
Cisco Employee
In response to exMSW4319

‎06-06-2016 04:27 AM

No worries

0 Helpful

exMSW4319
Level 3
Level 3

‎06-06-2016 02:48 AM

If you are handling password-protected attachments elsewhere (they will cause issues during the AV check) then you don't need to block ZIP explicitly, as Asyncos can traverse a ZIP archive with no password even if an attacker recurses a ZIP within a ZIP. Depending on the version of Asyncos it can also check a couple of other container types too. If there executables inside, your rule should trigger. Testing this is easy, and essential.

I take it that you're working on a Content Rule rather than a Message Filter. What is the "Apply Rule" setting in the upper right-hand corner of the Conditions panel? You might be imposing a logical And rather than the Or you need.

You'll find condition #1 easier to maintain if you list the components in alphabetical order.

You don't appear to be looking for 7z archives. There are lots of different container formats of increasing obscurity and it's always difficult to know where to stop, but I've seen enough attacks based on the 7z format to include it in my own version of this rule. Incidentally, both 7z and ZIP are in the Asyncos pre-defined File Type "Compressed" if you wanted to block all containers.

0 Helpful
Customers Also Viewed These Support Documents