|Email Plug-in (Reporting):||1.1.0-129|
|Email Plug-in (Encryption):||1.2.1-151|
We are receiving a bunch of "irsxxxx.doc" attachments with x = random numbers. (example: irs62662.doc)
I've tried setting several filters to strip and quarantine these attachments, but it:
* either doesn't work at all
* strips any attachment with those letters "i" "r" or "s" in them.
I've reviewed the regX expressions in the ESA guide, but apparently am doing something wrong.
I've tried using Dictionary content with "match all words", boundaries with \birs\b, and normal regX expressions filters like ^irs$ to no avail.
I don't know if it is a "condition" or "action" issue.
I do have an additional action to log with $MatchedContent.
You should be able to use the condition below, which I've tested successfully within my lab environment. Let me know if that helps. You can then of course you use any actions you like.
That condition DOES seem to filter them correctly, but no matter what action variable I set for stripping it, it's not stripping them.
I'm having it duplicate and put in quarantine (works)
I'm having it add "[Warning: Possible Virus]" in header (works)
Trying to strip via "by content" or "by file info" (does not work)
I was able to get the action to work:
"strip attachment by file info" Filename "contains" (?i)irs.*\.doc
Thank you VERY much for your help. It is sincerely appreciated!
You're very welcome! Would of answered your previous question sooner but got tied up on a phone call. I'm glad you got it figured out!