cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
890
Views
0
Helpful
4
Replies
Beginner

How to block zip files containing executable files ?

Hello, 

I am trying to implement a policy on ESA which is suppose to work as follows : If the attachment is .zip and has any form of executable file, I need to drop it ! 

Here is what I am trying but aint working : 

Order 1 :
attachment-filename == "\\.(ace|apk|app|bat|cmd|com|command|cpl|csh|dll|exe|gadget|hta|inf1|ins|inx|ipa|isu|job|jse|ksh|lnk|msc|msi|msp|mst|osx|out|paf|pif|prg|ps1|reg|rgs|run|scr|sct|shb|shs|u3p|vb|vbe|vbs|vbscript|workflow|ws|wsf|cpl|js|cab|jsp|class|zip)$\""


Order 2 : 

attachment-filetype == "Executable"


Action 
Drop 


But somehow this doesnt work and I still get emails 



Please help


Thank You

4 REPLIES 4
Cisco Employee

Hi, Just implement the

Hi, Just implement the following incoming content filter and assign it to the incoming mail policy in question:

Condition > attachment-filetype == "Executable" 

Action > Quarantine("Policy") [You can change this into drop after testing the filter and seeing how it performs]

The reason for this is the fact that the filter will do body-scanned for .zip files and .rar files, which means that the filter will check .zip files and .rar files for excusable "condition" and take actions based on the filter "Quarantine in this case".

Ref: AsyncOS version 9.7.1 user guide page 212

Note about your filter, from the drop down list next to conditions are you using If one or more conditions match "aka OR" or Only if all conditions match "aka AND".

Regards

Raed

Participant

My apologies, Raed. I've got

My apologies, Raed. I've got into the bad habit of loading up a series of threads from the forum and then replying, sometimes a considerable while later. As a result some of my postings are out of sequence or redundant. I'll go back to composing off-line.

Highlighted
Cisco Employee

No worries

No worries

Participant

If you are handling password

If you are handling password-protected attachments elsewhere (they will cause issues during the AV check) then you don't need to block ZIP explicitly, as Asyncos can traverse a ZIP archive with no password even if an attacker recurses a ZIP within a ZIP. Depending on the version of Asyncos it can also check a couple of other container types too. If there executables inside, your rule should trigger. Testing this is easy, and essential.

I take it that you're working on a Content Rule rather than a Message Filter. What is the "Apply Rule" setting in the upper right-hand corner of the Conditions panel? You might be imposing a logical And rather than the Or you need.

You'll find condition #1 easier to maintain if you list the components in alphabetical order.

You don't appear to be looking for 7z archives. There are lots of different container formats of increasing obscurity and it's always difficult to know where to stop, but I've seen enough attacks based on the 7z format to include it in my own version of this rule. Incidentally, both 7z and ZIP are in the Asyncos pre-defined File Type "Compressed" if you wanted to block all containers.