Scanning SVG files

j.schoenstein · ‎05-01-2025

We have received 100s of infected SVG files, and have blocked emails with SVG attachments. We do have two departments who use the files for legitimate reasons, but I don't feel safe allowing them to even a few people if the risk remains high (I've even written a risk acceptance letter in case mgt wants to open it up).
Is there a way to scan SVG files for malicious content (javascript, URLs) within CES?

beanand · ‎05-02-2025

Hello,

CES is capable of scanning attachments such as SVG files, but its ability to detect malicious content within SVG files (e.g., embedded JavaScript, malicious URLs, or other suspicious code) depends on the security features like AMP, URL filters and threat detection mechanisms in place.

CES can block specific file types, such as .svg, using attachment-filename or attachment-filetype filters. This is a strong first line of defense to prevent risky SVG files from entering your organization and an exception/policy can be created for any Legitimate Users (from trusted sources or specific senders).

CES leverages Talos Threat Intelligence, AMP and other tools to scan files. Additionally, you can make use of regex patterns in filters to identify suspicious content.

If any infected SVG file is not detected, it can be shared with Cisco TAC for further analysis. Additionally, you can discuss advanced SVG content scanning capabilities with them for enhanced protection.

GWH1 · ‎05-13-2025

Hi,

Could you provide instruction on how to complete this action. Our org is also receiving hundreds of .svg files (currently caught as spoofing)

beanand · ‎05-14-2025

Hi,

Blocking .svg files can be achieved using attachment-filename or attachment-filetype filters in ESA.
These filters will act as the first line of defense to prevent risky .svg files.

Steps to Block .svg Attachments:
1.Log in to the ESA Portal.
2. Navigate to Content Filters: Go to Mail Policies > Incoming Content Filters.
3. Create a New Filter: Click Add Filter and provide a name (e.g., "Block SVG Attachments").
4. Set the Rule to Block SVG Files:
• Choose Condition: Attachment File Info.
• Enter *.svg to match .svg files.
5. Set the Action:
• Initially perform a Log Entry Action ($filtername) and monitor the filter for a certain days.
• Then Choose Drop or Quarantine as the action for emails containing .svg files if filter working as expected.
6. Save the filter and apply it to the appropriate mail policies.

To allow .svg attachments from legitimate users or trusted sources, create an exception or policy for those specific senders.

Steps to Create Exceptions:
1. Go to Mail Policies > Incoming Mail Policies.
2. Identify or Add a Mail Policy: Either edit an existing policy or create a new one for trusted senders.
3. Specify Trusted Senders: Under the Sender field, add the email addresses or domains of trusted users (e.g., user@trustedsource.com or trustedsource.com).
4. Override the Block Rule: Ensure the new mail policy does not apply the SVG blocking content filter for these trusted senders.
5. Save the policy, and ensure it takes precedence over other general policies.

Monitor your email logs and quarantine reports regularly to identify trends in .svg file activity. Adjust policies as needed based on new threats or business requirements.

Enable Advanced Malware Protection (AMP) and ensure that Cisco Talos threat intelligence is active to enhance scanning capabilities for .svg files and other attachments.

j.schoenstein · ‎05-15-2025

I would also add a 'notify' to your security or email team with the original message attached so that you know the rule is being hit. I do this with all new rules to make sure that it's properly defined and not blocking all messages (like a former coworker did).

hawksg2024 · ‎05-12-2025

Continue blocking SVG attachments by default. For business-critical needs, route those files through a controlled, sandboxed process where they can be inspected or sanitized before delivery. I would suggest to get an additional AI driven email security for this job. Makes things really easy.