09-12-2016 09:45 AM
We are receiving a bunch of "irsxxxx.doc" attachments with x = random numbers. (example: irs62662.doc)
I've tried setting several filters to strip and quarantine these attachments, but it:
* either doesn't work at all
* strips any attachment with those letters "i" "r" or "s" in them.
I've reviewed the regX expressions in the ESA guide, but apparently am doing something wrong.
I've tried using Dictionary content with "match all words", boundaries with \birs\b, and normal regX expressions filters like ^irs$ to no avail.
I don't know if it is a "condition" or "action" issue.
I do have an additional action to log with $MatchedContent.
Please help!
Thanks!
09-12-2016 10:00 AM
Hello,
You should be able to use the condition below, which I've tested successfully within my lab environment. Let me know if that helps. You can then of course you use any actions you like.
Thanks!
-Dennis M.
09-12-2016 11:32 AM
Dennis,
That condition DOES seem to filter them correctly, but no matter what action variable I set for stripping it, it's not stripping them.
Actions:
I'm having it duplicate and put in quarantine (works)
I'm having it add "[Warning: Possible Virus]" in header (works)
Trying to strip via "by content" or "by file info" (does not work)
Any advice/ideas?
Thanks
09-12-2016 11:50 AM
Dennis,
I was able to get the action to work:
"strip attachment by file info" Filename "contains" (?i)irs.*\.doc
Thank you VERY much for your help. It is sincerely appreciated!
09-12-2016 12:17 PM
You're very welcome! Would of answered your previous question sooner but got tied up on a phone call. I'm glad you got it figured out!
Thanks!
-Dennis M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide