Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2235
Views
0
Helpful
6
Replies

Multiple Attachment Blocking with detailed logentry

Go to solution
RoBu
Level 1
Level 1

‎03-06-2018 12:54 AM - edited ‎03-08-2019 07:34 PM

Hi all,

we are about to develop a filter which matches on many (about 100) fileextensions, like *.exe, *.dll, *.png. If this combined filter matches, is there any chance to see which(!) of the extensions matched in the logs? I cant find any suitable action variable for this.

 

For example: an incoming mail has a .exe and a .docx attached. Just the .exe is forbidden, so the logs should tell us:

 

Info: MID 3620012 Custom Log Entry: Multiattach filter matched on .exe (File: evil.exe)

 

Or if multiple matches we would see something like that:

 

Info: MID 3620012 Custom Log Entry: Multiattach filter matched on .exe (File: evil.exe)

Info: MID 3620012 Custom Log Entry: Multiattach filter matched on .dll (File: veryevil.dll)

 

And "no" we don't want to write a separate filter for each extension :)

 

Regards Roman

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to RoBu

‎03-06-2018 10:39 PM

Hello Roman,

 

I am using the below filter and the logs shared are:

content_filter.pngLogs:

Wed Mar 7 17:12:53 2018 Info: MID 65101 attachment 'content_filter.png'
Wed Mar 7 17:12:53 2018 Info: MID 65101 attachment 'test.jpg'
Wed Mar 7 17:12:53 2018 Info: MID 65101 Custom Log Entry: Test: test.jpg
Wed Mar 7 17:12:53 2018 Info: MID 65101 Outbreak Filters: verdict negative
Wed Mar 7 17:12:53 2018 Info: MID 65101 enqueued for transfer to centralized quarantine "Policy" (content filter matt_test)

 

When i change the condition to AND on the content filter:

---

Wed Mar 7 17:14:12 2018 Info: MID 65102 antivirus negative
Wed Mar 7 17:14:12 2018 Info: MID 65102 using engine: GRAYMAIL negative
Wed Mar 7 17:14:12 2018 Info: MID 65102 attachment 'content_filter.png'
Wed Mar 7 17:14:12 2018 Info: MID 65102 attachment 'test.jpg'
Wed Mar 7 17:14:12 2018 Info: MID 65102 Custom Log Entry: Test: test.jpg, content_filter.png
Wed Mar 7 17:14:12 2018 Info: MID 65102 Outbreak Filters: verdict negative
Wed Mar 7 17:14:12 2018 Info: MID 65102 enqueued for transfer to centralized quarantine "Policy" (content filter matt_test)

--

 

Version :

11.0.1

 

Regards,

Matthew 

 

View solution in original post

0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to RoBu

‎03-07-2018 03:19 PM

Hey Roman B.

You are correct - it looks like the older 10.0 releases are not logging it properly.
Thu Mar 8 10:10:49 2018 Info: MID 19538 attachment 'test.jpg'
Thu Mar 8 10:10:49 2018 Info: MID 19538 attachment 'content_filter.png'
Thu Mar 8 10:10:49 2018 Info: MID 19538 matched all recipients for per-recipient policy Matt_Policy in the inbound table
Thu Mar 8 10:10:49 2018 Info: MID 19538 Custom Log Entry: Attachments Matched:
Thu Mar 8 10:10:49 2018 Info: ICID 10882 close
Thu Mar 8 10:10:49 2018 Info: MID 19538 quarantined to "Policy" (content filter:Matt_New_Policy)

Regards,
Matthew

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee

‎03-06-2018 02:31 AM

Hey Roman B,

 

I think i have the solution that should help your setup.

On your content/message filter that you have created, use the action of "Add Log Entry" as you already have but use the Action Variable of $MatchedContent  

Once this is done, try it out :)

Essentially any condition(s) if there's more will be logged for you.

 

This $MatchedContent is particularly useful for filename, sender address, header address and plain text type matching on the body contents.

 

Let me know it goes :).


Cheers,

Matthew

0 Helpful

Go to solution
RoBu
Level 1
Level 1
In response to Mathew Huynh

‎03-06-2018 10:26 PM

Hi Matthew, first thanx for your answer. I already tried the $MatchedContent action variable, but it seems not working:

 

My filter:

when:
  attachment-filename == "(?i)\\.jpg$" 
  attachment-filename == "(?i)\\.png$"     

action:
  log-entry("$FilterName: found '$MatchedContent'")

 

shows just the following logs:

 

Mar  7 07:15:38 Info: MID 3689737 ready 118156 bytes from <xxx@yyy.com>
Mar  7 07:15:38 Info: MID 3689737 attachment 'image50c3af.JPG'
Mar  7 07:15:38 Info: MID 3689737 attachment 'test.png'
Mar  7 07:15:38 Info: MID 3689737 attachment 'test.jpg'
Mar  7 07:15:38 Info: MID 3689737 matched all recipients for per-recipient policy IncP Test-Multiattach in the inbound table
Mar  7 07:15:51 Info: MID 3689737 interim verdict using engine: CASE spam negative
Mar  7 07:15:51 Info: MID 3689737 using engine: CASE spam negative
Mar  7 07:15:51 Info: MID 3689737 interim AV verdict using Sophos CLEAN
Mar  7 07:15:51 Info: MID 3689737 using engine: GRAYMAIL negative
Mar  7 07:15:51 Info: MID 3689737 Custom Log Entry: IncF-Multi-Attach-Log: found ''
Mar  7 07:15:51 Info: MID 3689737 Outbreak Filters: verdict negative
Mar  7 07:15:51 Info: MID 3689737 queued for delivery

 

0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to RoBu

‎03-06-2018 10:39 PM

Hello Roman,

 

I am using the below filter and the logs shared are:

content_filter.pngLogs:

Wed Mar 7 17:12:53 2018 Info: MID 65101 attachment 'content_filter.png'
Wed Mar 7 17:12:53 2018 Info: MID 65101 attachment 'test.jpg'
Wed Mar 7 17:12:53 2018 Info: MID 65101 Custom Log Entry: Test: test.jpg
Wed Mar 7 17:12:53 2018 Info: MID 65101 Outbreak Filters: verdict negative
Wed Mar 7 17:12:53 2018 Info: MID 65101 enqueued for transfer to centralized quarantine "Policy" (content filter matt_test)

 

When i change the condition to AND on the content filter:

---

Wed Mar 7 17:14:12 2018 Info: MID 65102 antivirus negative
Wed Mar 7 17:14:12 2018 Info: MID 65102 using engine: GRAYMAIL negative
Wed Mar 7 17:14:12 2018 Info: MID 65102 attachment 'content_filter.png'
Wed Mar 7 17:14:12 2018 Info: MID 65102 attachment 'test.jpg'
Wed Mar 7 17:14:12 2018 Info: MID 65102 Custom Log Entry: Test: test.jpg, content_filter.png
Wed Mar 7 17:14:12 2018 Info: MID 65102 Outbreak Filters: verdict negative
Wed Mar 7 17:14:12 2018 Info: MID 65102 enqueued for transfer to centralized quarantine "Policy" (content filter matt_test)

--

 

Version :

11.0.1

 

Regards,

Matthew 

 

0 Helpful

Go to solution
RoBu
Level 1
Level 1
In response to Mathew Huynh

‎03-06-2018 11:11 PM - edited ‎03-06-2018 11:25 PM

Hmm, looks like we an update (10.0.2-020) .... my filters look exactly the same....

I'll come back to this after the update, or could you test it with our old version in your lab?

0 Helpful

Go to solution
Mathew Huynh
Cisco Employee
Cisco Employee
In response to RoBu

‎03-07-2018 03:19 PM

Hey Roman B.

You are correct - it looks like the older 10.0 releases are not logging it properly.
Thu Mar 8 10:10:49 2018 Info: MID 19538 attachment 'test.jpg'
Thu Mar 8 10:10:49 2018 Info: MID 19538 attachment 'content_filter.png'
Thu Mar 8 10:10:49 2018 Info: MID 19538 matched all recipients for per-recipient policy Matt_Policy in the inbound table
Thu Mar 8 10:10:49 2018 Info: MID 19538 Custom Log Entry: Attachments Matched:
Thu Mar 8 10:10:49 2018 Info: ICID 10882 close
Thu Mar 8 10:10:49 2018 Info: MID 19538 quarantined to "Policy" (content filter:Matt_New_Policy)

Regards,
Matthew
0 Helpful

Go to solution
RoBu
Level 1
Level 1
In response to Mathew Huynh

‎03-07-2018 11:24 PM - edited ‎03-07-2018 11:24 PM

Many thanx Matthew for your tests! I can smell the upcoming update right now :)

-solved- 

0 Helpful
Customers Also Viewed These Support Documents