Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2808
Views
0
Helpful
3
Replies

how to filter password protected and unscannable files

rajeevbhaskar
Level 1
Level 1

‎06-01-2016 08:16 AM

Hello,

Can we have a filter to decide an action on mail attachment during the AV scan?

For e.g.) 1. Only strip and quarantine password protected attachments and deliver other attachments to recipients ?

2. Strip and quarantine the unscannable files and release the rest of the mail to recipient as part of AV scan ?

Thanks,

Rajeev

Labels:
0 Helpful
3 Replies 3

Raed Boshmaf
Cisco Employee
Cisco Employee

‎06-01-2016 12:43 PM

Hi Rajeev,

Give the following a try:

Q1)

You can create a content filter with condition attachment-protected "which will look for passworded/encrypted attachments". and set the two actions the first one is  drop_attachments("") and the second action to quarantine("Policy") or if you want to send it to the virus quarantine then replace the second action to insert header X-IronPort-AV with value Yes.

Q2)

You can set the action for unscannable file in the anti-virus engine to deliver from the advanced setting add a header > then create a filter that will have a condition to see if that header exist and set two actions drop_attachments("") and  insert header X-IronPort-AV with value Yes, so that it will be send to the virus quarantine.

Regards

Raed 

0 Helpful

rajeevbhaskar
Level 1
Level 1
In response to Raed Boshmaf

‎06-01-2016 12:50 PM

Hi Raed,

thanks for your suggestions.

i have tried a similar content filter without any luck, the problem is if the mail has multiple attachments, normal files and password protected file then the action is applied on both.

how do we overcome this ?

Thanks,

Rajeev

0 Helpful

Raed Boshmaf
Cisco Employee
Cisco Employee
In response to rajeevbhaskar

‎06-01-2016 01:32 PM

True for multiple attachments the action will be implemented on both, check this ESA Content Filters for Email Messages with Multiple Attachments "the example in the article might be different but the point is that is confirm the actions for multiple attachments will be taken on all if one matches" since this is the way the filters will act by design.

0 Helpful
Customers Also Viewed These Support Documents