Hello,

costacadmins · ‎09-12-2016

We are receiving a bunch of "irsxxxx.doc" attachments with x = random numbers. (example: irs62662.doc)

I've tried setting several filters to strip and quarantine these attachments, but it:

* either doesn't work at all

* strips any attachment with those letters "i" "r" or "s" in them.

I've reviewed the regX expressions in the ESA guide, but apparently am doing something wrong.

I've tried using Dictionary content with "match all words", boundaries with \birs\b, and normal regX expressions filters like ^irs$ to no avail.

I don't know if it is a "condition" or "action" issue.

I do have an additional action to log with $MatchedContent.

Please help!

Thanks!

dmccabej · ‎09-12-2016

Hello,

You should be able to use the condition below, which I've tested successfully within my lab environment. Let me know if that helps. You can then of course you use any actions you like.

Thanks!

-Dennis M.

costacadmins · ‎09-12-2016

Dennis,

That condition DOES seem to filter them correctly, but no matter what action variable I set for stripping it, it's not stripping them.

Actions:

I'm having it duplicate and put in quarantine (works)

I'm having it add "[Warning: Possible Virus]" in header (works)

Trying to strip via "by content" or "by file info" (does not work)

Any advice/ideas?

Thanks

costacadmins · ‎09-12-2016

Dennis,

I was able to get the action to work:

"strip attachment by file info" Filename "contains" (?i)irs.*\.doc

Thank you VERY much for your help. It is sincerely appreciated!

dmccabej · ‎09-12-2016

You're very welcome! Would of answered your previous question sooner but got tied up on a phone call. I'm glad you got it figured out!

Thanks!

-Dennis M.

Trying to filter specific "irsxxx.doc" attachments - not working