need to block nested compressed files

AbedB · ‎08-26-2021

Hello

We need to block in our ironport nested compressed/archived files

for example: zip files that include zip files

or zip inside zip inside zip etc ...

what is the way to do this?

we built this content filter but need to complete it to accomplish the mission

i need to add (for example): if the compressed attachments is not nested, then continue to action bellow...

Ken Stieers · ‎08-26-2021

Let's step back out of content filters for a second...
Under Security Services/Scan Behavior, you can set what the ESA does with attachments, including setting the recursion threshold, and what to do when extraction fails.

AbedB · ‎08-26-2021

I think it is configured as it should be there - with default values

5 recursions and 5MB file size if OK for me

And just to be clear, even when I put .txt file within zip file within another zip file, and created a content filter that blocks .txt files , the file is passed to the end user. which seems that "recursions" in scan behavior not working as expected....

Also I was reading here:

https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_01000.html#con_1131953

And found this example:

quarantine_gzipped_exe_or_pif:

if (attachment-filename == '(?i)\\.(exe|pif)($|.gz$)') {

quarantine("Policy");

}

and modified it to:

if (attachment-filename == '(?i)\\.(zip)($|.zip$)') {

And it blocks any zip file, even if the zip does not include in it a zip file (I mean even if it is not nested zip).
And as I mentioned earliers, we need only to block a .zip or .gz contained within a .zip. or .gz

Ken Stieers · ‎08-26-2021

Recursion of 5 means a zip, inside a zip, inside a zip, inside a zip, inside a zip.
If you set it to 0, it will fail any file with another compress file in it... (a zip inside a zip, or a tar inside a zip...etc)
I don't think that you can determine what type of compressed files are inside of compressed files... you can either block a specific type, eg. block all zips, not just block recursively zipped files.

AbedB · ‎08-26-2021

that's part of the issue

I created a policy to block txt files, i put a txt file into zip file, but it did not got blocked.

Even it is configured in recursion=5

Steflstefan · ‎09-01-2021

I think you need a filter for a txt file, not for an archive.
Filters are normally triggered even if the file type you are looking for is stored in an archive.
I have tested it with the macro filter. It recognises macros even if they are stored in nested zips.

create a filter for your txt file you need to recognize.

Send a message with txt attachment to test. If the filter works, send a message again wit a zip which contains the txt from your former message. It should triggers the filter too.

Then put the zip with the txt into another zip and send a message again.

Does it work?

Grz

AbedB · ‎09-01-2021

Thanks Stefan

When I tested before if did not work, not sure what happened / changed but now it works without the filter.

But that only solved 50% of my original case. Because am also looking for triggering zip into zip even if I permit txt files.

So lets say for example I don't want to block txt files, but I do want to trigger zip into zip situation even if it has a acceptable file in it, I want to block it.

This situation I was examining along with Cisco support and they told me there is a regex context that solves half of the problem, if gz file was into zip file , or zip into gz:

“if (attachment-filename == '(?i)\\.(zip)($|.gz$)')”

This works, but this regex will never work as it will block every zip file even if it was not into another zip file:

“if (attachment-filename == '(?i)\\.(zip)($|.zip$)')”

And for this they asked for an enhancement request.