Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6547
Views
0
Helpful
2
Replies

IronPort Attachment Filtering using Content Filter Dictionaries

Fireblade310
Level 1
Level 1

‎11-16-2014 11:07 PM

Hello,

one of our customers experiences some Problems with filtering attachments based on their file extensions.

What we did: We created a dictionary with extension formats like ".exe" or ".cab"

Based on this dictionary we created a policy, that all Mails are scanned. If an attachment matching this dictionary is in the mail, this attachment will be striped and replaced by a TXT file.

In my tests this worked fine, only files matching are replaced, the others pass. BUT after activating the rule, we had the Problem, that a lot of attachments not having an extension that should be filtered where striped. So ".xls" or ".pdf" where striped too.

Can you help me how to configure it correct? Do we have to change something in the Dictionary? Why is this happening, any explanation?

 

Thanks a lot for your help in advance and best regards

Michael

Labels:
0 Helpful
2 Replies 2

daniel larsen
Level 1
Level 1

‎01-08-2015 08:13 AM

Hello,

We are doing something similar, but we are not using a dictionary. We specify the file extension in a content filter action of strip attachment by file info, file name ends with, and we use this regular expression:

 

(?i)\.bat

 

(?i) makes it case insensitive, the "\" makes the action search for the special character period (which in regex is a wildcard), and then the file extension. 

 

When you save it, it will look a little off, the GUI adds some regex characters to it. the entry will look something like this on the content filter page:

 

drop-attachments-by-name("(?i)\\.bat$"

 

This expression will drop all instances of file extensions that have .bat, which includes all possible combinations. Examples include .BAT, .bat, .bAT, so on and so forth.

 

Hope this helps =) 

 

 

 

0 Helpful

Andreas Mueller
Level 4
Level 4

‎01-09-2015 02:18 AM

Hi Michael,

words in dictionaries are seen as regular expressions, thus an entry like

.exe

would also match on a word like june_executive_summary.pdf

 

(in regular expressions, the single period (.) represents a character)

 

To match extensions only, you can add a $ sign to the entry, which means "only at the end of a filename".  Also masquerade the period, so it it is seen as one.

 

\\.cab$

\\.exe$

 

Also make sure the dictionary has the " checkbox unchecked.

 

 

Hope that helps,

Andreas

0 Helpful
Customers Also Viewed These Support Documents