Thanks Matthew and Guillaume

Anshul Sinha · ‎12-23-2014

I am trying to strip an .scr attachment which is under compressed file .cab. I have written below filter, but its not resulting out to be effective

Strip_Encrypt_Attachment_MF3: if (recv-listener == "ExternalMail") AND (attachment-filetype == "cab") {
drop-attachments-by-name(".scr$", "cfy");
}

Where am i doing wrong?

Guillaume BARBEROT · ‎03-26-2015

hi

i think .cab files are not opened by ESA to scan inside for filetypes

see this thread for tests : https://supportforums.cisco.com/discussion/12410751/esa-scanning-executables-inside-different-archive-types

and this one for cisco feedback on archive types not handeled by filetype tests ( .7z for exemple) : https://supportforums.cisco.com/discussion/12434801/content-filter-block-attachment-scrcab-etc-not-working-inside-archive

regards

Guillaume

/Note : Please Rate usefull posts/

Mathew Huynh · ‎03-26-2015

Hello Anshul,

Your filter itself is not incorrect in terms of Syntax but as Guillaume has point out.

Currently the ESA is not supporting the unpacking/decompressing of .cab (and .7z) files thus it cannot detect that .scr inside the .cab attachment.

As a interim, we would suggest quarantining emails that contains .cab filename for verification by administrator if deemed safe.

There is currently an enhancement request going on for this -> CSCus86222

At this point its still under review.

Thanks,

Matthew

Anshul Sinha · ‎03-27-2015

Thanks Matthew and Guillaume

The explanation helped.

Message Filter not giving results