cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1291
Views
0
Helpful
1
Replies

Message filter to drop certain file types

Pravar
Level 1
Level 1

Hi, 

We are using following message filter to drop the mentioned file name attachments.However it is not working effectively when they are compressed in the zip files. Looks like there is a bug in our OS.  So, we want to use attachment-filetype instead of attachment-filename to restrict these files passing through the appliances without bringing in any other issues with this change. Any help is appreciated.

restrict_malicious_filename: if (recv-listener == "Inmx") AND (attachment-filename ==
"\\.(386|ad|ade|adp|cmd|cnt|com|cpl|crt|csh|der|exe|fxp|gadget|grp|ksh|lib|lnk|mad|maf|mag|mam|maq|mar|mas|mat|mau|mav|maw|mcf|mda|mmsp|mst|nsh|ocx|ops|osd|pcd|pif|psc1|psc2|pst|reg|scf|scr|sct|vbs|vbp|vs|vss|vst|vsw|vxd|ws|wsc|wsf|wsh|xbap|xnk)$") {
drop();
}

1 Reply 1

Libin Varghese
Cisco Employee
Cisco Employee

Hi,

I would recommend working on the existing filter to see why a specific attachment was not caught and confirming it is a defect before changing the filter to attachment-filetype altogether.

Attachment-filetype looks at the fingerprint of the attachment while the attachment-filename only looks at the name irrespective of the type of file. You can choose whichever works best for your requirements.

- Libin V