06-04-2016 09:28 PM
Hello,
I am trying to implement a policy on ESA which is suppose to work as follows : If the attachment is .zip and has any form of executable file, I need to drop it !
Here is what I am trying but aint working :
Order 1 :
attachment-filename == "\\.(ace|apk|app|bat|cmd|com|command|cpl|csh|dll|exe|gadget|hta|inf1|ins|inx|ipa|isu|job|jse|ksh|lnk|msc|msi|msp|mst|osx|out|paf|pif|prg|ps1|reg|rgs|run|scr|sct|shb|shs|u3p|vb|vbe|vbs|vbscript|workflow|ws|wsf|cpl|js|cab|jsp|class|zip)$\""
Order 2 :
attachment-filetype == "Executable"
Action
Drop
But somehow this doesnt work and I still get emails
Please help
Thank You
06-06-2016 02:31 AM
Hi, Just implement the following incoming content filter and assign it to the incoming mail policy in question:
Condition > attachment-filetype == "Executable"
Action > Quarantine("Policy") [You can change this into drop after testing the filter and seeing how it performs]
The reason for this is the fact that the filter will do body-scanned for .zip files and .rar files, which means that the filter will check .zip files and .rar files for excusable "condition" and take actions based on the filter "Quarantine in this case".
Ref: AsyncOS version 9.7.1 user guide page 212
Note about your filter, from the drop down list next to conditions are you using If one or more conditions match "aka OR" or Only if all conditions match "aka AND".
Regards
Raed
06-06-2016 03:48 AM
My apologies, Raed. I've got into the bad habit of loading up a series of threads from the forum and then replying, sometimes a considerable while later. As a result some of my postings are out of sequence or redundant. I'll go back to composing off-line.
06-06-2016 04:27 AM
No worries
06-06-2016 02:48 AM
If you are handling password-protected attachments elsewhere (they will cause issues during the AV check) then you don't need to block ZIP explicitly, as Asyncos can traverse a ZIP archive with no password even if an attacker recurses a ZIP within a ZIP. Depending on the version of Asyncos it can also check a couple of other container types too. If there executables inside, your rule should trigger. Testing this is easy, and essential.
I take it that you're working on a Content Rule rather than a Message Filter. What is the "Apply Rule" setting in the upper right-hand corner of the Conditions panel? You might be imposing a logical And rather than the Or you need.
You'll find condition #1 easier to maintain if you list the components in alphabetical order.
You don't appear to be looking for 7z archives. There are lots of different container formats of increasing obscurity and it's always difficult to know where to stop, but I've seen enough attacks based on the 7z format to include it in my own version of this rule. Incidentally, both 7z and ZIP are in the Asyncos pre-defined File Type "Compressed" if you wanted to block all containers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide