cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
753
Views
0
Helpful
1
Replies
Highlighted
Beginner

Message filter to drop certain file types

Hi, 

We are using following message filter to drop the mentioned file name attachments.However it is not working effectively when they are compressed in the zip files. Looks like there is a bug in our OS.  So, we want to use attachment-filetype instead of attachment-filename to restrict these files passing through the appliances without bringing in any other issues with this change. Any help is appreciated.

restrict_malicious_filename: if (recv-listener == "Inmx") AND (attachment-filename ==
"\\.(386|ad|ade|adp|cmd|cnt|com|cpl|crt|csh|der|exe|fxp|gadget|grp|ksh|lib|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mmsp|mst|nsh|ocx|ops|osd|pcd|pif|psc1|psc2|pst|reg|scf|scr|sct|vbs|vbp|vs|vss|vst|vsw|vxd|ws|wsc|wsf|wsh|xbap|xnk)$") {
drop();
}

1 REPLY 1
Highlighted
Cisco Employee

Hi,

I would recommend working on the existing filter to see why a specific attachment was not caught and confirming it is a defect before changing the filter to attachment-filetype altogether.

Attachment-filetype looks at the fingerprint of the attachment while the attachment-filename only looks at the name irrespective of the type of file. You can choose whichever works best for your requirements.

- Libin V