Solved: Re: Questions on attachment in IronPort scanning

pbabu6001 · ‎10-13-2017

Please answer to below questions:

Does IronPort un-compress the file?
How many layers does it un-compress? (if I compress an already compressed file, will it un-compress to the original layer)
Is there a max size restriction of the uncompressed file size? (where ironport won’t deliver the email if the original file size is over XXX.mb) - How to find maximum size of uncompressed file size limit?

I know the "Maximum Message size limit". does both of them are related?

Thank you!

Libin Varghese · ‎10-18-2017

Commonly known executable file types are listed in the same drop down under Executables.

A comprehensive list for the same would not be available since a lot of files may have executable content embedded in it and still trigger the condition.

- Libin

View solution in original post

Libin Varghese · ‎10-14-2017

I do not think the ESA has a need to un-compress files, it looks into contents of archives though as they are.

Maximum depth of scanning is configured under the Scan Behavior configuration.

Enter the maximum depth of attachment recursion to scan:
[5]>

Enter the maximum size of attachment to scan:
[5242880]>

Regards,

Libin Varghese

pbabu6001 · ‎10-17-2017

Could you please let me know the command to see the Scan Behavior configuration of IronPort.

Also, I ran scanconfig command and got below results:

There are currently 5 attachment type mappings configured to be SKIPPED.

Choose the operation you want to perform:
- NEW - Add a new entry.
- DELETE - Remove an entry.
- SETUP - Configure scanning behavior.
- IMPORT - Load mappings from a file.
- EXPORT - Save mappings to a file.
- PRINT - Display the list.
- CLEAR - Remove all entries.
- SMIME - Configure S/MIME unpacking.
[]> PRINT

1. Fingerprint   Image
2. Fingerprint   Media
3. MIME Type     audio/*
4. MIME Type     image/*
5. MIME Type     video/*

What does it mean?

If I create a content filter to block .mp4 extension emails, how does it works with scanconfig?

Many thanks!

Libin Varghese · ‎10-17-2017

scanconfig followed by "setup" should show you the current configuration.

As for content filters attacment filename and filetype conditions are available for you to test with.

Since mp4 files are not archives, the scan behavior would mostly control just the maximum scan size for the file.

- Libin V

pbabu6001 · ‎10-18-2017

Thanks for that and could you please answer to below question:

Which file extensions will come under "Executables" file type and please find the attachment for reference.

Libin Varghese · ‎10-18-2017

Commonly known executable file types are listed in the same drop down under Executables.

A comprehensive list for the same would not be available since a lot of files may have executable content embedded in it and still trigger the condition.

- Libin

Laith Ibrahim · ‎03-10-2021

Enter the maximum size of attachment to scan:
[5242880]>

What is this number unit? B / KB / MB / GB

Thanks,

Libin Varghese · ‎03-10-2021

Just the number is bytes, you can see this in the UI as well on how K and M can be used.

Regards,

Libin