Solved: Message filter attachments with named hyperlinks

PX · ‎03-18-2018

Hi there,

I currently have a successful message filter which scans the attachment, determines if a hyperlink is present that links to an .exe extension, notifies and quarantines.

My issue is that if i name the hyperlink in the attachment it is not detected.

Is this currently supported and if so what would be the correct message filter syntax to use.

This is my current filter

remove_exe_urls_from_attachements: if attachment-contains("://\\S*\\.exe(\\s|b|$)")
{
notify ("xxxx@xxxxx.com");
quarantine("xxxxx");
}

Thank you

PX · ‎03-26-2018

Hi Mathew,

Shortened URL's i have already enabled although masked URL checking is what i am interested in.

I can successfully check URL's from within an attachment OK although if masked it would not detect.

Appreciate your time.

Thank you

View solution in original post

Mathew Huynh · ‎03-18-2018

Hello,

This filter condition I suspect looks for the characters added in the event this string either in a raw text or encoded format it may trigger.

(Possibly even some false positives may occur i would imagine).

In version 11.1 (The GD release is pending) it adds the availability to look for URLs inside attachments with URL filtering.

https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa11-1/ESA_11-1_Release_Notes.pdf
It's still currently on limited deployment but should be available soon for usage if this better fits your criteria.

As at this stage from my experience, I haven't been able to successfully run filters to look for URLs inside an attachment. (That isn't a raw text based attachment and looking for a string).

Regards,

Matthew

PX · ‎03-26-2018

Hi Mathew,

Shortened URL's i have already enabled although masked URL checking is what i am interested in.

I can successfully check URL's from within an attachment OK although if masked it would not detect.

Appreciate your time.

Thank you